SOC Advisory – Critical RCE & Auth Bypass in Trend Micro Systems – 18 June 2025

Multiple critical vulnerabilities have been discovered in Trend Micro Apex Central (on-premises) and Trend Micro Endpoint Encryption Policy Server. These flaws include insecure deserialization and authentication bypass issues that could allow unauthenticated remote code execution or administrative access, leading to full system compromise.

Overview

These vulnerabilities stem from unsafe deserialization processes and flawed authentication checks. If exploited, attackers could execute arbitrary code or bypass authentication mechanisms, without needing valid credentials. The impact includes potential full takeover of affected systems, disruption of endpoint policies, and unauthorised administrative changes across environments using vulnerable versions of Trend Micro software.

Trend Micro Apex Central (On-Premises)

CVE-2025-49219

• Severity: Critical (CVSS 9.8)
• Description: Insecure deserialization in Apex Central below version 8.0.7007 may allow pre-authentication remote code execution.
• Action: Update to version 8.0.7007 (CP B7007) or later.
• References:
  • https://success.trendmicro.com/en-US/solution/KA-0019926
  • https://www.zerodayinitiative.com/advisories/ZDI-25-366/

CVE-2025-49220

• Severity: Critical (CVSS 9.8)
• Description: Insecure deserialization in Apex Central below version 8.0.7007 may allow pre-authentication remote code execution (different method from CVE-2025-49219).
• Action: Update to version 8.0.7007 (CP B7007) or later.
• References:
  • https://success.trendmicro.com/en-US/solution/KA-0019926
  • https://www.zerodayinitiative.com/advisories/ZDI-25-367/

Trend Micro Endpoint Encryption Policy Server

CVE-2025-49212

• Severity: Critical (CVSS 9.8)
• Description: Insecure deserialization may allow pre-authentication remote code execution.
• Action: Update to version 6.0.0.4013 (Patch 1 Update 6) or later.
• References:
  • https://success.trendmicro.com/en-US/solution/KA-0019928
  • https://www.zerodayinitiative.com/advisories/ZDI-25-369/

CVE-2025-49213

• Severity: Critical (CVSS 9.8)
• Description: Insecure deserialization may allow pre-authentication remote code execution (different method from CVE-2025-49212).
• Action: Update to version 6.0.0.4013 (Patch 1 Update 6) or later.
• References:
  • https://success.trendmicro.com/en-US/solution/KA-0019928
  • https://www.zerodayinitiative.com/advisories/ZDI-25-370/

CVE-2025-49216

• Severity: Critical (CVSS 9.8)
• Description: Authentication bypass allows admin-level access and modification of product configurations.
• Action: Update to version 6.0.0.4013 (Patch 1 Update 6) or later.
• References:
  • https://success.trendmicro.com/en-US/solution/KA-0019928
  • https://www.zerodayinitiative.com/advisories/ZDI-25-373/

CVE-2025-49217

• Severity: Critical (CVSS 9.8)
• Description: Insecure deserialization may allow pre-authentication remote code execution (different method from CVE-2025-49213).
• Action: Update to version 6.0.0.4013 (Patch 1 Update 6) or later.
• References:
  • https://success.trendmicro.com/en-US/solution/KA-0019928
  • https://www.zerodayinitiative.com/advisories/ZDI-25-374/

General Recommendations

• Patch immediately: Upgrade to the fixed versions for all affected products.
• Restrict remote access: Limit exposure of management interfaces and ensure perimeter security is up to date.
• Monitor systems: Review logs for suspicious activity and indicators of compromise.
• Apply network protections: Use available IPS/IDS rules if you have Trend Micro TippingPoint or Cloud One Network Security.

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.