Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer products.
The security vendor underlines that it has seen no evidence of active exploitation in the wild for any of them. However, immediate application of the security updates is recommended to address the risks.
Trend Micro Endpoint Encryption PolicyServer is a central management server for Trend Micro Endpoint Encryption (TMEE), providing full disk encryption and removable media encryption for Windows-based endpoints.
The product is used in enterprise environments in regulated industries where compliance with data protection standards is critical.
With the latest update, Trend Micro addressed the following high-severity and critical flaws:
CVE-2025-49212 - A pre-authentication remote code execution flaw caused by insecure deserialization in the PolicyValueTableSerializationBinder class. Remote attackers can exploit it to execute arbitrary code as SYSTEM without requiring login
A pre-authentication remote code execution flaw caused by insecure deserialization in the PolicyValueTableSerializationBinder class. Remote attackers can exploit it to execute arbitrary code as SYSTEM without requiring login CVE-2025-49213 - A pre-authentication remote code execution vulnerability in the PolicyServerWindowsService class, stemming from deserialization of untrusted data. Attackers can run arbitrary code as SYSTEM with no authentication required
A pre-authentication remote code execution vulnerability in the PolicyServerWindowsService class, stemming from deserialization of untrusted data. Attackers can run arbitrary code as SYSTEM with no authentication required CVE-2025-49216 - An authentication bypass flaw in the DbAppDomain service due to a broken auth implementation. Remote attackers can fully bypass login and perform admin-level actions without credentials
An authentication bypass flaw in the DbAppDomain service due to a broken auth implementation. Remote attackers can fully bypass login and perform admin-level actions without credentials CVE-2025-49217 - A pre-authentication RCE vulnerability in the ValidateToken method, triggered by unsafe deserialization. While slightly harder to exploit, it still allows unauthenticated attackers to run code as SYSTEM
It should be noted that while Trend Micro's security bulletin for Endpoint Encryption PolicyServer lists all four vulnerabilities above as critical, ZDI's advisory asessed CVE-2025-49217 as being a high-severity vulnerability.
... continue reading