Broken Access Control in Trend Vision One User Account Allows Privilege Escalation
CVE-2025-31282

4.6MEDIUM

Key Information:

Vendor: Trend Micro
Status: Trend Vision One
Vendor: CVE Published:; 2 April 2025

Summary

A broken access control vulnerability was identified in the Trend Vision One User Account component. This vulnerability enabled an administrator to create new users who could subsequently alter their account roles, leading to elevated privileges. It's important to note that this issue has been addressed in the backend service and is no longer active, ensuring that systems using Trend Vision One are now more secure against such vulnerabilities.

Affected Version(s)

Trend Vision One NA

References

https://success.trendmicro.com/en-US/solution/KA-0019386

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 2, 2025
Vulnerability Reserved
Mar 27, 2025

Credit

Vaibhav Kumar Srivastava of eSec Forte Technologies Pvt. Ltd