CVE-2025-53378

A missing authentication vulnerability in Trend Micro Worry-Free Business Security Services (WFBSS) agent could have allowed an unauthenticated attacker to remotely take control of the agent on affected installations. Also note: this vulnerability only affected the SaaS client version of WFBSS only, meaning the on-premise version of Worry-Free Business Security was not affected, and this issue was addressed in a WFBSS monthly maintenance update. Therefore no other customer action is required to mitigate if the WFBSS agents are on the regular SaaS maintenance deployment schedule and this disclosure is for informational purposes only.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://success.trendmicro.com/en-US/solution/KA-0019936	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:trendmicro:worry-free_business_security_services:::::saas:::*
	cpe:2.3:a:trendmicro:worry-free_business_security_services:::::saas:::*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

03 Oct 2025, 00:46

Type	Values Removed	Values Added
First Time		Trendmicro Microsoft windows Trendmicro worry-free Business Security Services Microsoft
CPE		cpe:2.3:a:trendmicro:worry-free_business_security_services:::::saas:::* cpe:2.3:o:microsoft:windows:-:::::::*
References	~~() https://success.trendmicro.com/en-US/solution/KA-0019936 -~~	() https://success.trendmicro.com/en-US/solution/KA-0019936 - Vendor Advisory

15 Jul 2025, 13:14

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-10 19:15

Updated : 2025-10-03 00:46

NVD link : CVE-2025-53378

Mitre link : CVE-2025-53378

CVE.ORG link : CVE-2025-53378

JSON object : View

Products Affected

trendmicro

worry-free_business_security_services

microsoft

windows

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2025-53378", "cveTags": [{"tags": ["exclusively-hosted-service"], "sourceIdentifier": "security@trendmicro.com"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@trendmicro.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-07-10T19:15:26.177", "references": [{"url": "https://success.trendmicro.com/en-US/solution/KA-0019936", "tags": ["Vendor Advisory"], "source": "security@trendmicro.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@trendmicro.com", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "A missing authentication vulnerability in Trend Micro Worry-Free Business Security Services (WFBSS) agent could have allowed an unauthenticated attacker to remotely take control of the agent on affected installations.\r\n\r\nAlso note: this vulnerability only affected the SaaS client version of WFBSS only, meaning the on-premise version of Worry-Free Business Security was not affected, and this issue was addressed in a WFBSS monthly maintenance update. Therefore no other customer action is required to mitigate if the WFBSS agents are on the regular SaaS maintenance deployment schedule and this disclosure is for informational purposes only."}, {"lang": "es", "value": "Una vulnerabilidad de falta de autenticaci\u00f3n en el agente de Trend Micro Worry-Free Business Security Services (WFBSS) podr\u00eda haber permitido que un atacante no autenticado tomara el control remoto del agente en las instalaciones afectadas. Cabe destacar que esta vulnerabilidad solo afect\u00f3 a la versi\u00f3n cliente SaaS de WFBSS, lo que significa que la versi\u00f3n local de Worry-Free Business Security no se vio afectada. Este problema se solucion\u00f3 en una actualizaci\u00f3n de mantenimiento mensual de WFBSS. Por lo tanto, no se requiere ninguna otra acci\u00f3n por parte del cliente para mitigarlo si los agentes de WFBSS se encuentran en el programa de implementaci\u00f3n de mantenimiento SaaS habitual. Esta divulgaci\u00f3n es solo para fines informativos."}], "lastModified": "2025-10-03T00:46:37.910", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:trendmicro:worry-free_business_security_services:*:*:*:*:saas:*:*:*", "vulnerable": true, "matchCriteriaId": "661DB84A-9A36-4297-9ED9-211C222EEB80", "versionEndExcluding": "6.7.3954", "versionStartIncluding": "6.7.0.0"}, {"criteria": "cpe:2.3:a:trendmicro:worry-free_business_security_services:*:*:*:*:saas:*:*:*", "vulnerable": true, "matchCriteriaId": "0BDE03F7-BC04-48CA-B03B-893489B41F5F", "versionEndExcluding": "14.3.1299", "versionStartIncluding": "14.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@trendmicro.com"}