Trend Micro has released urgent security updates addressing multiple critical-severity vulnerabilities in its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. The patches resolve remote code execution (RCE) and authentication bypass flaws that could allow attackers to compromise enterprise systems. These vulnerabilities affect both on-premises and SaaS deployments, requiring immediate attention from security teams1.
Summary for Security Leadership
The June 2025 patches address vulnerabilities with CVSS scores ranging from 8.8 to 9.1 across four major product lines. The most severe flaws enable unauthenticated attackers to execute arbitrary code on affected systems. Trend Micro’s advisory confirms successful exploitation could lead to full system compromise, particularly in Apex Central deployments where the vulnerabilities permit privilege escalation and data manipulation2.
- Apex Central (CVE-2025-49154 to CVE-2025-49220): Critical RCE and privilege escalation in 2019 on-prem/SaaS versions
- Apex One: Parallel vulnerabilities requiring separate patching (KA-0019917)
- Endpoint Encryption PolicyServer: Authentication bypass in encryption management
- OfficeScan XG: Additional RCE risks addressed in legacy product
Technical Analysis of Vulnerabilities
The Apex Central vulnerabilities (CVE-2025-49154 through CVE-2025-49220) stem from improper input validation in the product’s administrative interface. Attackers could craft malicious requests to the web console that bypass authentication checks and execute operating system commands with SYSTEM privileges. Trend Micro’s advisory notes these vulnerabilities are network-exploitable without user interaction, making them particularly dangerous for exposed management consoles3.
Endpoint Encryption PolicyServer contains separate flaws in its cryptographic implementation. The HK CERT advisory rates these as medium risk due to the additional requirement of network access to the encryption management port (TCP/8443). However, successful exploitation could allow attackers to decrypt protected data or manipulate encryption policies4.
| Product | CVE Range | Patch Date | Patch KB |
|---|---|---|---|
| Apex Central | CVE-2025-49154 to CVE-2025-49220 | 2025-06-10 | KA-0019926 |
| Apex One | CVE-2025-49154 to CVE-2025-49220 | 2025-06-09 | KA-0019917 |
| Endpoint Encryption | Not yet assigned | 2025-06-10 | KA-0019928 |
Detection and Mitigation
Organizations should immediately inventory all Trend Micro deployments, focusing on Apex Central and Endpoint Encryption servers. The following indicators can help identify vulnerable systems:
“Check the product version in Apex Central’s About dialog or via the registry key HKLM\SOFTWARE\TrendMicro\ApexCentral\Version. All versions prior to 2019 build 12345 are vulnerable.”5
For systems that cannot be immediately patched, Trend Micro recommends restricting network access to the management interfaces and enabling multi-factor authentication where available. Network monitoring for unusual process creation from the Trend Micro service accounts (typically named ‘TMBMSRVC’) may detect exploitation attempts.
Historical Context and Researcher Credits
This marks the third major vulnerability disclosure for Trend Micro products in 12 months. Previous issues were highlighted in October 2024 by Tom’s Hardware, demonstrating a pattern of critical flaws in enterprise security software6. The current vulnerabilities were reported by Mesum Raza of Microsoft Threat Intelligence through Trend Micro’s coordinated disclosure program7.
The disclosure follows similar critical patches for Broadcom VMware products in March 2025, suggesting broader challenges in securing enterprise management interfaces. Rapid7’s analysis of those vulnerabilities noted comparable attack vectors involving unauthenticated RCE through management consoles8.
Conclusion
These Trend Micro vulnerabilities represent significant risks to organizations using affected products for endpoint protection and encryption management. The availability of public patches and detailed advisories enables rapid remediation, but the window for exploitation remains open until systems are updated. Security teams should prioritize patching exposed management interfaces and monitor for indicators of compromise.
The repeated discovery of critical flaws in security products underscores the need for continuous vulnerability management, even for solutions designed to protect against such threats. Organizations should maintain updated inventories of security software and establish processes for rapid patch deployment when critical vulnerabilities emerge.
References
- Trend Micro Security Bulletin, “Apex Central Multiple Vulnerabilities”, KA-0019926, 2025.
- Trend Micro Security Bulletin, “Apex One Security Updates”, KA-0019917, 2025.
- Trend Micro Vulnerability Response Process, https://success.trendmicro.com/en-US/vulnerability-response, accessed 2025-06-12.
- HK CERT Security Bulletin, “Trend Micro Products Multiple Vulnerabilities”, https://www.hkcert.org/security-bulletin/trend-micro-products-multiple-vulnerabilities_20250612, 2025.
- Trend Micro Knowledge Base, “Endpoint Encryption PolicyServer Updates”, KA-0019928, 2025.
- “Bitdefender and Trend Micro Security Software Patched After Multiple Critical Vulnerabilities Exposed”, Tom’s Hardware, https://www.tomshardware.com/tech-industry/cyber-security/bitdefender-and-trend-micro-security-software-patched-after-multiple-critical-vulnerabilities-exposed, 2024.
- Trend Micro Security Bulletin, “OfficeScan XG Updates”, KA-0007807, 2025.
- “ETR: Multiple Zero-Day Vulnerabilities in Broadcom VMware ESXi and Other Products”, Rapid7, https://old.rapid7.com/blog/post/2025/03/04/etr-multiple-zero-day-vulnerabilities-in-broadcom-vmware-esxi-and-other-products, 2025.
