Pattern Micro has launched patches for ten vulnerabilities in Apex Central and Endpoint Encryption (TMEE) PolicyServer, together with critical-severity flaws resulting in distant code execution (RCE).
The replace for Apex Central resolves two important bugs resulting in RCE, tracked as CVE-2025-49219 and CVE-2025-49220 (CVSS rating of 9.8). The safety defects are comparable, however had been found in numerous strategies, the corporate says.
Each vulnerabilities are described as an insecure deserialization operation that would enable distant attackers to execute arbitrary code on affected installations, with out authentication.
Endpoint Encryption PolicyServer acquired fixes for eight flaws, together with 4 important and 4 high-severity defects.
Three of the important points are described as deserialization of untrusted information that would result in unauthenticated RCE.
Tracked as CVE-2025-49212, CVE-2025-49213, and CVE-2025-49217 (CVSS rating of 9.8), the bugs are comparable, however impression completely different strategies. The corporate says the primary is much like the Apex Central vulnerability CVE-2025-49220.
The fourth critical-severity vulnerability resolved in Endpoint Encryption PolicyServer, CVE-2025-49216 (CVSS rating of 9.8), is an authentication bypass subject permitting “an attacker to entry key strategies as an admin consumer and modify product configurations”.
Of the high-severity flaws resolved, three are SQL injection bugs that would result in privilege escalation, whereas the fourth is an insecure deserialization resulting in RCE. All 4 require that an attacker first obtains “the flexibility to execute low-privileged code on the goal system”.Commercial. Scroll to proceed studying.
All ten vulnerabilities had been disclosed by the Zero Day Initiative (ZDI), however Pattern Micro says that none of them has been noticed being exploited within the wild. Nevertheless, customers are suggested to use the out there patches as quickly as doable.
Associated: Palo Alto Networks Patches Privilege Escalation Vulnerabilities
Associated: Fortinet, Ivanti Patch Excessive-Severity Vulnerabilities
Associated: ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, CISA
Associated: Microsoft Patch Tuesday Covers WebDAV Flaw Marked as ‘Already Exploited’
