CVE-2025-49217
BaseFortify
Publication date: 2025-06-17
Last updated on: 2025-09-08
Assigner: Trend Micro, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trendmicro | trend_micro_endpoint_encryption | to 6.0.0.4013 (exc) |
| microsoft | windows | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
| CWE-477 | The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an insecure deserialization flaw in the Trend Micro Endpoint Encryption PolicyServer. It occurs due to improper validation in the ValidateToken method, which leads to deserialization of untrusted data. This allows a remote attacker to execute arbitrary code on the affected system with SYSTEM privileges without needing to authenticate. [1]
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can remotely execute arbitrary code with SYSTEM-level privileges on the affected system without authentication. This can lead to full compromise of the system, including unauthorized access, data theft, disruption of services, or further attacks within the network. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply the update released by Trend Micro to address and fix this security issue in the Endpoint Encryption PolicyServer. [1]