{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-31285", "assignerOrgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", "state": "PUBLISHED", "assignerShortName": "trendmicro", "dateReserved": "2025-03-27T17:59:57.531Z", "datePublished": "2025-04-02T16:39:33.203Z", "dateUpdated": "2025-04-07T13:42:52.372Z"}, "containers": {"cna": {"affected": [{"vendor": "Trend Micro, Inc.", "product": "Trend Vision One", "versions": [{"version": "NA", "status": "affected", "versionType": "semver", "lessThan": "NA"}]}], "descriptions": [{"lang": "en", "value": "A broken access control vulnerability previously discovered in the Trend Vision One Role Name component could have allowed an administrator to create users who could then change the role of the account and ultimately escalate privileges. \r\n\r\nPlease note: ths issue has already been addressed on the backend service and is no longer considered an active vulnerability."}], "providerMetadata": {"orgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", "shortName": "trendmicro", "dateUpdated": "2025-04-07T13:42:52.372Z"}, "references": [{"url": "https://success.trendmicro.com/en-US/solution/KA-0019386"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"}}], "problemTypes": [{"descriptions": [{"description": "CWE-269: Improper Privilege Mangement", "lang": "en-US", "type": "CWE", "cweId": "CWE-269"}]}], "tags": ["exclusively-hosted-service"], "credits": [{"lang": "en", "value": "Vaibhav Kumar Srivastava of eSec Forte Technologies Pvt. Ltd", "type": "finder"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-03T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-31285"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-04T03:55:20.293Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-31285", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-02T17:32:05.306587Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-02T17:32:10.291Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "credits": [{"lang": "en", "type": "finder", "value": "Vaibhav Kumar Srivastava of eSec Forte Technologies Pvt. Ltd"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Trend Micro, Inc.", "product": "Trend Vision One", "versions": [{"status": "affected", "version": "NA", "lessThan": "NA", "versionType": "semver"}]}], "references": [{"url": "https://success.trendmicro.com/en-US/solution/KA-0019386"}], "descriptions": [{"lang": "en", "value": "A broken access control vulnerability previously discovered in the Trend Vision One Role Name component could have allowed an administrator to create users who could then change the role of the account and ultimately escalate privileges. \r\n\r\nPlease note: ths issue has already been addressed on the backend service and is no longer considered an active vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Mangement"}]}], "providerMetadata": {"orgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", "shortName": "trendmicro", "dateUpdated": "2025-04-07T13:42:52.372Z"}}}, "cveMetadata": {"cveId": "CVE-2025-31285", "state": "PUBLISHED", "dateUpdated": "2025-04-07T13:42:52.372Z", "dateReserved": "2025-03-27T17:59:57.531Z", "assignerOrgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", "datePublished": "2025-04-02T16:39:33.203Z", "assignerShortName": "trendmicro"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trendmicro:trend_vision_one:-:*:*:*:*:*:*:*", "matchCriteriaId": "761D8AA4-4FAC-4797-84B3-20DA7F69DF8E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "security@trendmicro.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "A broken access control vulnerability previously discovered in the Trend Vision One Role Name component could have allowed an administrator to create users who could then change the role of the account and ultimately escalate privileges. \r\n\r\nPlease note: ths issue has already been addressed on the backend service and is no longer considered an active vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso fallida, descubierta previamente en el componente Trend Vision One Role Name, podr\u00eda haber permitido a un administrador crear usuarios que posteriormente podr\u00edan cambiar el rol de la cuenta y, en \u00faltima instancia, escalar privilegios. Nota: Este problema ya se ha solucionado en el servicio backend y ya no se considera una vulnerabilidad activa."}], "id": "CVE-2025-31285", "lastModified": "2025-09-02T18:33:05.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security@trendmicro.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-02T17:15:48.943", "references": [{"source": "security@trendmicro.com", "tags": ["Vendor Advisory"], "url": "https://success.trendmicro.com/en-US/solution/KA-0019386"}], "sourceIdentifier": "security@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@trendmicro.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}