CVE-2025-49212
Published: 17 June 2025
Summary
CVE-2025-49212 is a critical-severity Use of Obsolete Function (CWE-477) vulnerability in Trendmicro Trend Micro Endpoint Encryption. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-49212 is an insecure deserialization vulnerability in the Trend Micro Endpoint Encryption PolicyServer that enables pre-authentication remote code execution on affected installations. The issue stems from improper handling of serialized data and is tracked under CWEs 477 and 502; it is similar to CVE-2025-49220 but resides in a separate method. The flaw received a CVSS 3.1 score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated attacker with network access can supply malicious serialized objects to the PolicyServer, triggering arbitrary code execution and full compromise of the affected system without any authentication. The published EPSS score remains low, with a current value of 0.0527 and a peak of 0.0630.
Advisories addressing the issue are available from Trend Micro at https://success.trendmicro.com/en-US/solution/KA-0019928 and from the Zero Day Initiative at https://www.zerodayinitiative.com/advisories/ZDI-25-369/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18640
Vulnerability details
An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49220 but is in a different method.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Institutionalized information sharing keeps developers aware of obsolete functions and the need to replace them with supported alternatives.
Regular reassessment flags use of obsolete functions whose security properties have degraded or whose replacements contain fixes for known weaknesses.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Eliminates reliance on functions or components explicitly declared obsolete and unsupported by their maintainers.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Software and firmware updates replace obsolete functions whose retained presence leaves systems exposed to publicly known weaknesses.