CVE-2025-53378

Trend Micro Worry-Free Business Security Missing Authentication Vulnerability

Severity Score

7.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A missing authentication vulnerability in Trend Micro Worry-Free Business Security Services (WFBSS) agent could have allowed an unauthenticated attacker to remotely take control of the agent on affected installations. Also note: this vulnerability only affected the SaaS client version of WFBSS only, meaning the on-premise version of Worry-Free Business Security was not affected, and this issue was addressed in a WFBSS monthly maintenance update. Therefore no other customer action is required to mitigate if the WFBSS agents are on the regular SaaS maintenance deployment schedule and this disclosure is for informational purposes only.

This vulnerability allows remote attackers to hijack security agents on affected installations of Trend Micro Worry-Free Business Security. In most cases, user interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the agent activation API. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to remove protections or create a denial-of-service condition on the system.

*Credits: Nicolas Caluori

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-06-27 CVE Reserved
2025-07-10 CVE Published
2025-07-11 CVE Updated
2025-07-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-306: Missing Authentication for Critical Function

CAPEC

References (1)

URL	Tag	Source
https://success.trendmicro.com/en-US/solution/KA-0019936

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Trend Micro, Inc. Search vendor "Trend Micro, Inc."		Trend Micro Worry-Free Business Security Services Search vendor "Trend Micro, Inc." for product "Trend Micro Worry-Free Business Security Services"				>= SaaS < 6.7.3954 / 14.3.1299 Search vendor "Trend Micro, Inc." for product "Trend Micro Worry-Free Business Security Services" and version " >= SaaS < 6.7.3954 / 14.3.1299"		en		Affected