// For flags

CVE-2025-53378

Trend Micro Worry-Free Business Security Missing Authentication Vulnerability

Severity Score

7.6
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

A missing authentication vulnerability in Trend Micro Worry-Free Business Security Services (WFBSS) agent could have allowed an unauthenticated attacker to remotely take control of the agent on affected installations. Also note: this vulnerability only affected the SaaS client version of WFBSS only, meaning the on-premise version of Worry-Free Business Security was not affected, and this issue was addressed in a WFBSS monthly maintenance update. Therefore no other customer action is required to mitigate if the WFBSS agents are on the regular SaaS maintenance deployment schedule and this disclosure is for informational purposes only.

This vulnerability allows remote attackers to hijack security agents on affected installations of Trend Micro Worry-Free Business Security. In most cases, user interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the agent activation API. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to remove protections or create a denial-of-service condition on the system.

*Credits: Nicolas Caluori
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2025-06-27 CVE Reserved
  • 2025-07-10 CVE Published
  • 2025-07-11 CVE Updated
  • 2025-07-16 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-306: Missing Authentication for Critical Function
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Trend Micro, Inc.
Search vendor "Trend Micro, Inc."
Trend Micro Worry-Free Business Security Services
Search vendor "Trend Micro, Inc." for product "Trend Micro Worry-Free Business Security Services"
>= SaaS < 6.7.3954 / 14.3.1299
Search vendor "Trend Micro, Inc." for product "Trend Micro Worry-Free Business Security Services" and version " >= SaaS < 6.7.3954 / 14.3.1299"
en
Affected