CVE-2025-49213
published 2025-06-17CVE-2025-49213: An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
7.94%
94.0th percentile
An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49212 but is in a different method.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro_inc | trend_micro_endpoint_encryption_policy_server | >= 6.0 < 6.0.0.4013 | 6.0.0.4013 |
| trendmicro | trend_micro_endpoint_encryption | < 6.0.0.4013 | 6.0.0.4013 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-49213 is a pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer, enabling unauthenticated SYSTEM-level access. Detection should focus on unauthenticated/anomalous requests to the PolicyServer service. ↗
- →CVE-2025-49213 involves an insecure deserialization operation in Trend Micro Endpoint Encryption PolicyServer. Monitor for suspicious deserialization activity or unexpected process spawning from the PolicyServer process. ↗
- ·CVE-2025-49213 is noted as similar to CVE-2025-49217 but affects a different method within the same Trend Micro Endpoint Encryption PolicyServer product. Detections should account for both vulnerabilities targeting different deserialization methods. ↗
- ·Trend Micro has released patches for CVE-2025-49213; ensure PolicyServer installations are patched to remediate the pre-auth RCE risk. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h576-r27x-2cjg: An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on
ghsa_unreviewed·2025-06-17·CVSS 9.8
CVE-2025-49213 [CRITICAL] CWE-477 GHSA-h576-r27x-2cjg: An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on
An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49212 but is in a different method.
GHSA
GHSA-qh4c-q793-rvmw: An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on
ghsa_unreviewed·2025-06-17·CVSS 9.8
CVE-2025-49217 [CRITICAL] CWE-477 GHSA-qh4c-q793-rvmw: An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on
An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49213 but is in a different method.
No detection rules found.
No public exploits indexed.
Checkpoint
16th June – Threat Intelligence Report
blogs_checkpoint·2025-06-16
CVE-2025-33053 16th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 16th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 16th June, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
One of South Korea’s largest ticketing platforms Yes24 has been a victim of a ransomware attack that resulted in a four-day service outage, disrupting online bookings for concerts, e-book access, and community forums. The incident has caused significant turmoil in the entertainment industry, forcing event cancellations and dela
Bleepingcomputer
Trend Micro fixes critical vulnerabilities in multiple products
blogs_bleepingcomputer·2025-06-12·CVSS 9.8
[CRITICAL] Trend Micro fixes critical vulnerabilities in multiple products
## Trend Micro fixes critical vulnerabilities in multiple products
## Bill Toulas
Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer products.
The security vendor underlines that it has seen no evidence of active exploitation in the wild for any of them. However, immediate application of the security updates is recommended to address the risks.
Trend Micro Endpoint Encryption PolicyServer is a central management server for Trend Micro Endpoint Encryption (TMEE), providing full disk encryption and removable media encryption for Windows-based endpoints.
The product is used in enterprise environments in regulated industries
2025-06-17
Published