CVE-2025-49220
Published: 17 June 2025
Summary
CVE-2025-49220 is a critical-severity Use of Obsolete Function (CWE-477) vulnerability in Trendmicro Apex Central. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An insecure deserialization flaw exists in Trend Micro Apex Central versions prior to 8.0.7007. The vulnerability, tracked as CVE-2025-49220 and assigned CWE-502 along with CWE-477, permits unauthenticated remote code execution and carries a CVSS 3.1 score of 9.8. It resides in a different code path from the related CVE-2025-49219 but shares the same root cause of unsafe handling of serialized data.
An attacker with network access can submit a crafted serialized object to the affected Apex Central instance without requiring credentials or user interaction. Successful exploitation grants arbitrary code execution with the privileges of the application, enabling full compromise of the management server.
The vendor advisory at success.trendmicro.com directs customers to upgrade to Apex Central 8.0.7007 or later. The Zero Day Initiative advisory ZDI-25-367 corroborates the pre-authentication remote code execution impact and aligns with the official fix guidance.
EPSS scores have remained in a narrow band between 0.0836 and a peak of 0.0992 with no pronounced upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18514
Vulnerability details
An insecure deserialization operation in Trend Micro Apex Central below version 8.0.7007 could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49219 but is in a different method.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Institutionalized information sharing keeps developers aware of obsolete functions and the need to replace them with supported alternatives.
Regular reassessment flags use of obsolete functions whose security properties have degraded or whose replacements contain fixes for known weaknesses.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Eliminates reliance on functions or components explicitly declared obsolete and unsupported by their maintainers.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Software and firmware updates replace obsolete functions whose retained presence leaves systems exposed to publicly known weaknesses.