An insecure deserialization operation in Trend Micro Apex Central below versions 8.0.7007 could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49220 but is in a different method.
The bug lies in the use of an unsafe deserialization operation (CWE-477, CWE-502), which processes untrusted data supplied by an attacker without proper verification. An attacker can send a crafted payload to a vulnerable endpoint of the application without prior authentication. Deserialization of the malicious object leads to arbitrary code execution in the context of the server process. The vulnerability is similar to CVE-2025-49220, but affects a different method in the application code.
An attacker can remotely and without authentication execute arbitrary code on the server, which in practice means complete takeover of the system — violation of confidentiality, integrity, and availability of data.
Trend Micro Apex Central should be updated to version 8.0.7007 or later. Detailed instructions are available in the vendor bulletin at: https://success.trendmicro.com/en-US/solution/KA-0019926
Trend Micro Apex Central versions below 8.0.7007, installed on Microsoft Windows.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMicrosoft Windows
OSMicrosoftwszystkie wersjeTrendmicro Apex Central
APPTrendmicro2019
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit