Critical Command Injection Flaws in Trend Micro Apex One Actively Exploited

Trend Micro has issued an urgent advisory for two critical command injection vulnerabilities affecting its Apex One (on-prem) management console for Windows. Both vulnerabilities—CVE-2025-54948 and CVE-2025-54987—carry a CVSS score of 9.4, and Trend Micro confirms that at least one of them is being actively exploited in the wild.

These newly disclosed flaws could allow a pre-authenticated remote attacker to upload and execute arbitrary code on a vulnerable management server:

• CVE-2025-54948: A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.
• CVE-2025-54987: This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture.

Both vulnerabilities fall under CWE-78: OS Command Injection, allowing attackers to gain full control over the affected system if exploited successfully.

Trend Micro’s security team has observed at least one instance of active exploitation of these vulnerabilities. Although successful exploitation requires the attacker to have network access to the Apex One console, environments with externally exposed IPs or weak access controls are particularly at risk.

Trend Micro has released a short-term fix in the form of FixTool_Aug2025 for Apex One (on-prem), now available for download:

“While it will fully protect against known exploits, it will disable the ability for administrators to utilize the Remote Install Agent function to deploy agents from the Apex One Management Console.”

Agent deployment via UNC path or installation packages remains unaffected. Meanwhile, Apex One as a Service and Trend Vision One Endpoint Security customers have already received back-end mitigations as of July 31, 2025.

Related Posts:

• PoC Exploit Releases for Cisco SSM On-Prem Account Takeover (CVE-2024-20419) Flaw
• Critical Trend Micro Apex Central Flaws: Pre-Auth RCE (CVSS 9.8) Threatens Your Security
• Critical 0-day Trend Micro Endpoint Security Vulnerability
• Cisco Warns of Public PoC Exploit Code of Critical CVE-2024-20419 (CVSS 10) Flaw

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy