Recommended reading

Trend Micro patches several worrying security flaws, so update now

News
By published

Half a dozen flaws across different Trend Micro products have been addressed

Security
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • Trend Micro patches multiple high- and critical-severity flaws
  • The issues were found in Apex Central and Endpoint Encryption PolicyServer
  • There are no workarounds or mitigations

Trend Micro has fixed a handful of critical-severity vulnerabilities it recently discovered in a pair of enterprise-level tools.

In security advisories, the company said it fixed six remote code execution, and authentication bypass vulnerabilities, in Apex Central and Endpoint Encryption (TMEE) PolicyServer products.

Apex Central is a web‑based centralized management console designed for IT and security teams in mid‑sized to enterprise organizations using Trend Micro’s security products across endpoints, servers, email, and network. Endpoint Encryption PolicyServer, on the other hand, is a central management server used to manage encryption policies across devices. Users can handle authentication, key management, real-time policy synchronization and auditing, and are allowed remote commands such as locking, resetting or wiping lost or stolen endpoints.

No evidence of abuse

The vulnerabilities fixed with the most recent patches are listed below:

CVE-2025-49212
CVE-2025-49213
CVE-2025-49216
CVE-2025-49217
CVE-2025-49219
CVE-2025-49212

All of these are deemed either high-severity, or critical. More details about them can be found on this link.

While Trend Micro stresses there is no evidence of abuse in the wild, it still urges its users to apply the fixes and secure their premises as soon as possible.

There are no mitigations, or workarounds, and the only way to secure the endpoints is to bring TMEE to version 6.0.0.4013 (Patch 1 Update 6), and for Apex Central, to install the Patch B7007.

Just because threat actors did not take advantage of the flaws yet, it doesn’t mean they won’t. Many hacking groups watch for newly-released patches to try and exploit the vulnerabilities, banking on the fact that many organizations don’t rush with installing the fixes.

For example, in March 2025, Trend Micro warned about a Windows zero-day vulnerability which has remained unpatched for eight years and has been exploited by 11 nation-state attackers, and countless financially motivated groups.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.