CRITICAL🇵🇱 Wersja polska

CVE-2025-49219

CVSS 9.8v3.1pub. 2025-06-17upd. 2025-09-08

An insecure deserialization operation in Trend Micro Apex Central below versions 8.0.7007 could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49220 but is in a different method.

🤖 AI Analysis
How it works

The bug lies in the use of an unsafe deserialization operation (CWE-477, CWE-502), which processes untrusted data supplied by an attacker without proper verification. An attacker can send a crafted payload to a vulnerable endpoint of the application without prior authentication. Deserialization of the malicious object leads to arbitrary code execution in the context of the server process. The vulnerability is similar to CVE-2025-49220, but affects a different method in the application code.

Impact

An attacker can remotely and without authentication execute arbitrary code on the server, which in practice means complete takeover of the system — violation of confidentiality, integrity, and availability of data.

Mitigation & patch

Trend Micro Apex Central should be updated to version 8.0.7007 or later. Detailed instructions are available in the vendor bulletin at: https://success.trendmicro.com/en-US/solution/KA-0019926

Who is affected

Trend Micro Apex Central versions below 8.0.7007, installed on Microsoft Windows.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
  • Trendmicro Apex Central

    APP
    Trendmicro
    2019
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2024-7262CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit