Critical Trend Micro Apex One Bugs (CVE-2025-54948, CVE-2025-54987) Now Actively Exploited

  • Post author:
  • Reading time:3 mins read

Trend Micro has warned that attackers target critical unauthenticated command injection vulnerabilities (CVE-2025-54948, CVE-2025-54987) in its on-premise Apex One endpoint security product.

Vulnerability Details

CVE-2025-54948
1. Vulnerability: Management Console Command Injection RCE Vulnerability
2. CVSS Score: 9.4 (Critical)
3. EPSS Score: 0.21%
4. Affected Products: Trend Micro Apex One (on-prem) versions 2019 and Management Server Version 14039 and below
5. Platform: Windows

CVE-2025-54987
1. Vulnerability: Management Console Command Injection RCE Vulnerability
2. CVSS Score: 9.4 (Critical)
3. EPSS Score: 0.21%
4. Affected Products: Trend Micro Apex One (on-prem) versions 2019 and Management Server Version 14039 and below
5. Platform: Windows

CVE-2025-54948 and CVE-2025-54987 are unauthenticated command injection flaws targeting different CPU architectures but exploiting the same underlying issue in Trend Micro Apex One. These vulnerabilities can lead to remote code execution on vulnerable installations.

According to Zero Day Initiative (ZDI), the issue lies in the Apex One console, which listens by default on TCP ports 8080 and 4343. Improper user input validation in system calls allows attackers to execute arbitrary code with IUSR privileges.

The flaws affect Apex One (on-prem) and Management Server. Cloud-hosted services, including Apex One as a Service and Trend Vision One, were also impacted but have since been mitigated as of July 31st.

Impact & Exploit Potential

Exploiting these vulnerabilities allows unauthenticated remote attackers to upload and execute malicious code on affected systems. This can lead to complete system compromise, data exfiltration, or other malicious activities. With a critical CVSS score of 9.4, the threat is severe, and immediate mitigation is strongly recommended.

Tactics, Techniques, and Procedures (TTPs)

Attackers can exploit these vulnerabilities to achieve remote code execution, leveraging the ability to execute code within the context of the IUSR account. This aligns with the following tactics and techniques from the MITRE ATT&CK framework:

  • TA0002 – Execution: This tactic involves adversaries’ techniques to run malicious code.
  • T1203 – Exploitation for Client Execution: Attackers can execute arbitrary commands on the affected system by exploiting a command injection vulnerability.

Mitigation & Recommendations

To mitigate the risk posed by these vulnerabilities, Trend Micro recommends the following actions:

  • Apply the temporary fix tool: Trend Micro has released a temporary fix that disables the Remote Install Agent function in the Apex One Management Console. This tool provides immediate protection against known exploits. The SHA-256 hash of the fix tool (FixTool_Aug2025.exe) is c945a885a31679a913802a2aefde52b672bb2c8ac98bbed52b723e6733c0eadc.
  • Install the critical patch: A comprehensive critical patch is expected to be released in mid-August 2025. This patch will restore the Remote Install Agent functionality while maintaining security protections.
  • Review access policies: Ensure that remote access to critical systems is reviewed and that policies and perimeter security are up-to-date. Customers with externally exposed console IP addresses should consider implementing source restrictions.

Trend Micro has observed at least one attempt to exploit one of these vulnerabilities actively in the wild, so applying the mitigations is crucial. Jacky Hsieh, a Senior Security Researcher at CoreCloud Tech, reported the vulnerabilities to Trend Micro on August 1st, 2025, via the ZDI program.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.