Critical RCE Vulnerabilities in Trend Micro Apex One

Trend Micro reports active exploitation of management console command injection RCE vulnerability

Threat ID:: CC-4687
Threat Severity:: Medium
Published:: 6 August 2025 1:46 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Trend Micro reports active exploitation of management console command injection RCE vulnerability

Affected platforms

The following platforms are known to be affected:

Trend Micro Apex One

Apex One (on-prem)

2019
Management Server Version 14039 and below

The following platforms are also known to be affected:

Other Trend platforms have already been mitigated in an out-of-band maintenance on 31 July 2025, which include:

Trend Apex One as a Service
Trend Vision One Endpoint Security - Standard Endpoint Protection

Threat details

Active exploitation of RCE vulnerability

Trend Micro has disclosed there has been at least one attempt of active exploitation of one of these vulnerabilities in the wild.

Introduction

Trend Micro has published a critical security bulletin regarding CVE-2025-54948 and CVE-2025-54987, which are command injection remote code execution (RCE) vulnerabilities that affect the Trend Micro Apex One (on-premise) Management Console.

If successfully exploited, these vulnerabilities could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. Both vulnerabilities are similar, but they target different CPU architectures.

Critical security update expected in mid-August 2025

A critical security update by Trend Micro Apex One Management Console (on-premise) is expected to be released around the middle of August 2025, and the Trend Micro's Critical Security Bulletin and this Cyber Alert will be updated as soon as it is available.

The expected security update will also restore the Remote Install Agent functionality, if applied after the short-term mitigation fix tool.

Remediation advice

Affected organisations are encouraged to review Trend Micro's Critical Security Bulletin and the short-term mitigation, and make local risk assessments to determine if the mitigation is suitable.

Note: While the fix tool will fully protect against known exploits, it will disable the ability for administrators to use the Remote Install Agent function to deploy agents from the Trend Micro Apex One Management Console.

Definitive source of threat updates

https://success.trendmicro.com/en-US/solution/KA-0020652

CVE Vulnerabilities

Status Published

CVE-2025-54948

A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.

Status Published

CVE-2025-54987

A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture.

Last edited: 6 August 2025 1:46 pm