About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
CVSS Score: 9.8 (Critical)
Identifier: CVE-2025-49212
Exploit or POC: No exploitation or proof of concept observed.
Update: CVE-2025-49212 – Trend Micro Advisory June 2025 Patch
Description: CVE-2025-49212 is a critical pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption's PolicyServer. The flaw arises from insecure deserialization of untrusted data (CWE-477) in the server component, which allows attackers to trigger arbitrary code execution on affected systems without valid credentials. The overall severity stems from its ability to be exploited remotely or through lateral movement, granting full control over the system and potential access to sensitive encrypted data.
Mitigation Recommendation: Trend Micro has released PolicyServer update 6.0.0.4013 to address this issue. Administrators are strongly advised to upgrade immediately. If patching is not viable, implement Trend Micro's IPS filters (e.g., TippingPoint/Cloud One filters 45072–45076) to detect or block exploit attempts, isolate PolicyServers behind secured network segments, and monitor network traffic for suspicious deserialization activity.
CVSS Score: 9.8 (Critical)
Identifier: CVE-2025-49213
Exploit or POC: No exploitation or proof of concept observed.
Update: CVE-2025-49213 – Trend Micro Advisory (June 2025 Patch)
Description: CVE-2025-49213 is a critical pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption's PolicyServer component. Rooted in insecure deserialization of untrusted data within the PolicyServerWindowsService module, the flaw allows an unauthenticated attacker to trigger SYSTEM-level code execution remotely. Exploitation requires no credentials or prior access, making it highly dangerous.
Mitigation Recommendation: Trend Micro has released PolicyServer update 6.0.0.4013 to remediate this vulnerability. Administrators should upgrade immediately. If patch rollout is delayed, apply Trend Micro's IPS filters (TippingPoint/Cloud One filters 45072–45076), isolate PolicyServer within secure network segments, and monitor for suspicious deserialization behavior.
CVSS Score: 9.8 (Critical)
Identifier: CVE-2025-49216
Exploit or POC: No exploitation or proof of concept observed.
Update: CVE-2025-49216 – Trend Micro Advisory June 2025 Patch
Description: CVE-2025-49216 is a critical authentication bypass vulnerability in Trend Micro Endpoint Encryption PolicyServer's DbAppDomain service. The issue arises from flawed authentication implementation, allowing remote, unauthenticated attackers to perform administrative functions without credentials. Successful exploitation could grant full control over the PolicyServer infrastructure, potentially compromising encryption policies and configurations.
Mitigation Recommendation: Trend Micro has released PolicyServer update 6.0.0.4013 to address this issue. Administrators are strongly advised to apply this patch immediately. If the update cannot be deployed right away, consider isolating the PolicyServer behind restricted network segments, hardening access controls, and increasing monitoring for unauthorized configuration changes or access attempts.
CVSS Score: 8.1 (High)
Identifier: CVE-2025-49217
Exploit or POC: No exploitation or proof of concept observed.
Update: CVE-2025-49217 – Trend Micro Advisory (June 10, 2025 Patch)
Description: CVE-2025-49217 is a critical remote code execution vulnerability in Trend Micro Endpoint Encryption's PolicyServer. The flaw lies in the unsafe deserialization of untrusted data within its ValidateToken method, allowing a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges. Although slightly more complex than other related issues, exploitation requires no valid credentials and can yield full server compromise.
Trend Micro issued patches for this vulnerability alongside several others in the June 2025 release, consolidating fixes in version 6.0.0.4013. This vulnerability was assessed as high severity (CVSS 8.1) by ZDI, though Trend Micro categorized it as critical.
Mitigation Recommendation: Upgrade Trend Micro Endpoint Encryption PolicyServer to version 6.0.0.4013 immediately. If patching cannot be implemented promptly, apply Trend Micro's IPS filters (TippingPoint/Cloud One filters 45072–45076) to block exploit attempts, isolate the PolicyServer behind secure network segments, and monitor for unusual deserialization activity in logs and alerts.