CVE-2025-49157
BaseFortify
Publication date: 2025-06-17
Last updated on: 2025-09-09
Assigner: Trend Micro, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trendmicro | apex_one | to 14.0.14492 (exc) |
| trendmicro | apex_one | From 14.0.0.12994 (inc) to 14.0.0.14002 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49157 is a local privilege escalation vulnerability in the Trend Micro Apex One Damage Cleanup Engine. An attacker who already has the ability to run low-privileged code on the system can exploit this flaw by creating a filesystem junction to trick the service into deleting a folder. This manipulation allows the attacker to execute arbitrary code with SYSTEM-level privileges, effectively escalating their access rights on the affected system. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with limited access to escalate their privileges to SYSTEM level, which is the highest level of access on a Windows system. This means the attacker could gain full control over the affected system, potentially leading to unauthorized access to sensitive data, modification or deletion of critical files, and disruption of system availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a local privilege escalation issue within the Trend Micro Apex One Damage Cleanup Engine. Detection involves verifying if the affected Trend Micro Apex One Security Agent is installed and if the Damage Cleanup Engine component is present. Since exploitation involves creating junction points to manipulate the service, monitoring for unusual junction creation or suspicious folder deletions related to the Trend Micro Common Client Real-time Scan Service could indicate exploitation attempts. Specific commands to detect this include using Windows PowerShell or Command Prompt to check for junction points (e.g., 'dir /AL' to list junctions) and reviewing running services related to Trend Micro Apex One. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the update released by Trend Micro that addresses and fixes this vulnerability in the Apex One Damage Cleanup Engine. Additionally, ensure that only trusted users have the ability to execute code on the system, as exploitation requires prior low-privileged code execution. Monitoring and restricting creation of junction points and suspicious folder deletions related to the Trend Micro service may also help reduce risk until the patch is applied. [1]