CVE-2025-49218
BaseFortify
Publication date: 2025-06-17
Last updated on: 2025-09-08
Assigner: Trend Micro, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trendmicro | trend_micro_endpoint_encryption | to 6.0.0.4013 (exc) |
| microsoft | windows | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow an attacker to escalate their privileges on the affected system, potentially gaining access to protected resources and sensitive data. It can compromise the confidentiality, integrity, and availability of the system, leading to unauthorized data access, modification, or disruption of services. [1]
Can you explain this vulnerability to me?
CVE-2025-49218 is a post-authentication SQL injection vulnerability in Trend Micro Endpoint Encryption PolicyServer. It allows an attacker who already has low-privileged access to execute specially crafted SQL queries due to improper validation of user input in the ProcessWhereClause method. This can lead to privilege escalation, enabling the attacker to gain higher-level access and control over the system. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply the update released by Trend Micro to address and fix this vulnerability as soon as possible to mitigate the risk of privilege escalation via SQL injection. [1]