Critical Vulnerabilities Patched in Trend Micro Apex Central, Endpoint Encryption

Trend Micro patches critical-severity Apex Central and Endpoint Encryption PolicyServer flaws leading to remote code execution.

Trend Micro has released patches for ten vulnerabilities in Apex Central and Endpoint Encryption (TMEE) PolicyServer, including critical-severity flaws leading to remote code execution (RCE).

The update for Apex Central resolves two critical bugs leading to RCE, tracked as CVE-2025-49219 and CVE-2025-49220 (CVSS score of 9.8). The security defects are similar, but were discovered in different methods, the company says.

Both vulnerabilities are described as an insecure deserialization operation that could allow remote attackers to execute arbitrary code on affected installations, without authentication.

Endpoint Encryption PolicyServer received fixes for eight flaws, including four critical and four high-severity defects.

Three of the critical issues are described as deserialization of untrusted data that could lead to unauthenticated RCE.

Tracked as CVE-2025-49212, CVE-2025-49213, and CVE-2025-49217 (CVSS score of 9.8), the bugs are similar, but impact ...