Cyber Resilience

CVE-2025-49217

CriticalRCE

Published: 17 June 2025

Published
17 June 2025
Modified
08 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0297 86.8th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49217 is a critical-severity Use of Obsolete Function (CWE-477) vulnerability in Trendmicro Trend Micro Endpoint Encryption. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 13.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer can lead to pre-authentication remote code execution on affected installations. The issue, tracked as CVE-2025-49217 with CVSS 9.8, stems from CWE-502 and is similar to CVE-2025-49213 but occurs in a different method.

Unauthenticated attackers with network access can exploit the flaw without credentials or user interaction to execute arbitrary code, resulting in full compromise of confidentiality, integrity, and availability on the target system.

Advisories addressing the vulnerability are published by Trend Micro at https://success.trendmicro.com/en-US/solution/KA-0019928 and by the Zero Day Initiative at https://www.zerodayinitiative.com/advisories/ZDI-25-374/. The associated EPSS score remains low, with a current value of 0.0297 and a peak of 0.0358.

EU & UK References

Vulnerability details

An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49213 but is in a different method.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

trendmicro
trend micro endpoint encryption
≤ 6.0.0.4013

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-477

Institutionalized information sharing keeps developers aware of obsolete functions and the need to replace them with supported alternatives.

addresses: CWE-477

Regular reassessment flags use of obsolete functions whose security properties have degraded or whose replacements contain fixes for known weaknesses.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-477

Eliminates reliance on functions or components explicitly declared obsolete and unsupported by their maintainers.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-477

Software and firmware updates replace obsolete functions whose retained presence leaves systems exposed to publicly known weaknesses.

References