CVE-2025-49154

CWE-284 — Improper Access Control3 documents3 sources

Severity

7.8HIGH

EPSS

0.1%

top 84.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Trend Micro, Inc. Trend Micro Apex ONE Trend Micro, Inc. Trend Micro Apex ONE AS A Service Trend Micro, Inc. Worry-free Business Security +3 more

Timeline

PublishedJun 17

Description

An insecure access control vulnerability in Trend Micro Apex One and Trend Micro Worry-Free Business Security could allow a local attacker to overwrite key memory-mapped files which could then have severe consequences for the security and stability of affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages6 packages

▶CVEListV5trend_micro,_inc./worry-free_business_security10.0 SP1 — 2514

▶NVDtrendmicro/worry-free_business_security_services6.7.0.0 — 6.7.3954+1

▶NVDtrendmicro/worry-free_business_security10.0

▶NVDtrendmicro/apex_one14.0.0.12994 — 14.0.0.14002+1

▶CVEListV5trend_micro,_inc./trend_micro_apex_one2019 (14.0) — 14.0.0.14002

🔴Vulnerability Details

CVEList

CVE-2025-49154: An insecure access control vulnerability in Trend Micro Apex One and Trend Micro Worry-Free Business Security could allow a local attacker to overwrit↗2025-06-17

▶

GHSA

GHSA-p8h4-m3x4-3cgw: An insecure access control vulnerability in Trend Micro Apex One and Trend Micro Worry-Free Business Security could allow a local attacker to overwrit↗2025-06-17

▶