An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49220 but is in a different method.
The PolicyServer component handles data deserialization in an unsafe manner (insecure deserialization), meaning that input data supplied by an attacker is deserialized without proper validation or filtering. An attacker can craft a malicious payload and submit it to the server before the authentication process. The vulnerability affects a different method than the related CVE-2025-49220, but both flaws have similar characteristics and consequences.
An attacker can gain full control over the system running PolicyServer, including the ability to read, modify or delete data, and perform lateral movement across the network. Compromise of the encryption policy management server could result in the disclosure of authentication credentials and encryption keys managed by the product.
Patches available from the vendor should be applied according to references — details in the Trend Micro bulletin: https://success.trendmicro.com/en-US/solution/KA-0019928. Due to pre-authentication RCE with CVSS 9.8 rating, the update should be deployed immediately. Until the update is applied, it is recommended to restrict network access to PolicyServer only to trusted hosts using a firewall.
Trend Micro Endpoint Encryption PolicyServer running on Microsoft Windows — specific versions indicated in the vendor's references (https://success.trendmicro.com/en-US/solution/KA-0019928)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMicrosoft Windows
OSMicrosoftwszystkie wersjeTrendmicro Trend Micro Endpoint Encryption
APPTrendmicro< 6.0.0.4013
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit