CVE-2025-31285 – A broken access control vulnerability in Trend ... (How to Fix)

Q: What is the severity of CVE-2025-31285?

CVE-2025-31285 has a CVSS score of 4.6 (MEDIUM). A broken access control vulnerability in Trend Vision One allowed administrators to create users who could then modify account roles and escalate privileges. This affected Trend Vision One deployments with administrator access. The vulnerability has been fixed on the backend service.

📋 TL;DR

A broken access control vulnerability in Trend Vision One allowed administrators to create users who could then modify account roles and escalate privileges. This affected Trend Vision One deployments with administrator access. The vulnerability has been fixed on the backend service.

💻 Affected Systems

Products:

Trend Vision One

Versions: Versions prior to backend service fix (specific version not disclosed)

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator access to exploit; vulnerability has been fixed on backend service

📦 What is this software?

Trend Vision One by Trendmicro

View all CVEs affecting Trend Vision One →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator creates user accounts that can escalate to higher privileges, potentially gaining full system control and bypassing security controls.

🟠

Likely Case

Administrator creates limited user accounts that gain unauthorized administrative access, compromising system integrity and data confidentiality.

🟢

If Mitigated

With proper access controls and monitoring, unauthorized privilege escalation attempts would be detected and prevented before causing damage.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated administrator access; exploitation is straightforward once admin access is obtained

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Backend service fix (no specific version provided)

Vendor Advisory: https://success.trendmicro.com/en-US/solution/KA-0019386

Restart Required: No

Instructions:

1. Ensure Trend Vision One is connected to Trend Micro services. 2. The fix has been applied automatically on the backend service. 3. No customer action required as the vulnerability has been addressed.

🔧 Temporary Workarounds

Restrict Administrator Access

all

Limit administrator accounts to trusted personnel only and implement least privilege principles

Monitor User Creation and Role Changes

all

Implement logging and alerting for user creation and role modification events

🧯 If You Can't Patch

Implement strict access controls and monitor all administrator activities
Regularly audit user accounts and role assignments for unauthorized changes

🔍 How to Verify

Check if Vulnerable:

Check if your Trend Vision One instance is connected to Trend Micro services and receiving updates

Check Version:

Check Trend Vision One console for service status and connectivity

Verify Fix Applied:

The vulnerability has been fixed on the backend service; ensure your instance is properly connected

📡 Detection & Monitoring

Log Indicators:

Unusual user creation events
Role modification events from non-standard accounts
Multiple privilege escalation attempts

Network Indicators:

Unusual authentication patterns from administrator accounts

SIEM Query:

source="trend-vision-one" AND (event_type="user_creation" OR event_type="role_modification")

📊 Metadata

CVE ID: CVE-2025-31285

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-269

EPSS Score: 0.13% exploit probability (33.1th percentile)

Published: April 2, 2025

Last Updated: September 2, 2025

🔗 References

https://success.trendmicro.com/en-US/solution/KA-0019386 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31285, you might also want to check these: