ºÚÁÏÉç

On 10 June 2025, Trend Micro released fixes for six critical vulnerabilities affecting Apex Central and Endpoint Encryption PolicyServer. Five of the vulnerabilities allow remote code execution (RCE), and one enables authentication bypass. The vulnerabilities were responsibly disclosed by the Zero Day Initiative (ZDI), a vulnerability research organisation owned by Trend Micro.?

Vulnerabilities?

• CVE-2025-49219 & CVE-2025-49220: Unauthenticated RCE in Apex Central due to insecure deserialisation.?

• CVE-2025-49216: Authentication bypass in Endpoint Encryption PolicyServer due to improper implementation of an authentication algorithm.?

• CVE-2025-49213 & CVE-2025-49217: Unauthenticated RCE in Endpoint Encryption PolicyServer due to insecure deserialisation.?

• CVE-2025-49212: RCE in Endpoint Encryption PolicyServer due to insecure deserialisation. Requires authentication, but can be chained with CVE-2025-49216 to achieve authentication.?

Arctic Wolf has not observed exploitation of these vulnerabilities or identified any publicly available proof-of-concept (PoC) code. Apex Central vulnerabilities have been exploited in the past, as noted in CISA¡¯s Known Exploited Vulnerabilities catalog. Additionally, Endpoint Encryption PolicyServer manages encryption keys and access policies, making it a high-value target for threat actors. Threat actors may reverse engineer the patches in the near future to develop exploits.?

Recommendation?

Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends that customers upgrade to the latest fixed version of Apex Central or Endpoint Encryption Policy Server.?

Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.?

References?

Resources

Understand the threat landscape, and how to better defend your organisation, with the 2025 Arctic Wolf Threat Report

See how Arctic Wolf utilises threat intelligence to harden your attack surface and stop threats earlier and faster