Analysis Summary

CVE-2025-49220 CVSS:9.8

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Apex Central. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the ConvertFromJson method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE.

CVE-2025-49219 CVSS:9.8

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Apex Central. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the GetReportDetailView method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE.

CVE-2025-49158 CVSS:6.7

This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Furthermore, privilege escalation occurs only if an administrator uninstalls the Security Agent from the affected computer. The specific flaw exists within the product uninstaller. The product executes a program from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

CVE-2025-49157 CVSS:7.8

This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Damage Cleanup Engine, which runs within the Trend Micro Common Client Real-time Scan Service. By creating a junction, an attacker can abuse the service to delete a folder. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

CVE-2025-49156 CVSS:7

This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Furthermore, the product is vulnerable only if configured by an administrator to take a non-default malware remediation action.The specific flaw exists within the VsapiNT.sys kernel module. By creating a symbolic link, an attacker can abuse the driver to create arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

CVE-2025-49155 CVSS:8.8

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Apex One Security Agent. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Data Loss Prevention module. The issue results from loading a DLL from an uncontrolled search path. An attacker can leverage this vulnerability to execute code in the context of the current user.

Impact

• Code Execution
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2025-49220
• CVE-2025-49219
• CVE-2025-49158
• CVE-2025-49155
• CVE-2025-49156
• CVE-2025-49157

Affected Vendors

Remediation

Refer to Trend Micro Security Advisory for patch, upgrade, or suggested workaround information.

CVE-2025-49220

CVE-2025-49219

CVE-2025-49158

CVE-2025-49157

CVE-2025-49156

CVE-2025-49155