Trend Micro Apex One flaws exploted in the wild (CVE-2025-54948, CVE-2025-54987)
Unauthenticated command injection vulnerabilities (CVE-2025-54948, CVE-2025-54987) affecting the on-premise version of Trend Micro’s Apex One endpoint security platform are being probed by attackers, the company has warned on Wednesday.
Unfortunately for those organizations that use it, a patch is still in the works and is expected to be released around the middle of August 2025. But the company has provided a “fix tool” that mitigates the risk of exploitation in the short term – though it will prevent admins from utilizing the Remote Install Agent function to deploy agents from the Trend Micro Apex One Management Console.
“Other agent install methods such as UNC path or agent package are unaffected,” the company reassured.
About the vulnerabilities (CVE-2025-54948, CVE-2025-54987)
Both CVE-2025-54948 and CVE-2025-54987 are essentially the same vulnerability on a different CPU architecture: they are unauthenticated command injection vunerabilities that could be triggered to achieve remote code exection on affected installations of Trend Micro Apex One.
“The specific flaw exists within the Apex One console, which listens on TCP ports 8080 and 4343 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of IUSR,” it’s explained in the Zero Day Initiative (ZDI) advisories.
The vulnerabilities affect Trend Micro Apex One (on-prem), versions 20216 and Management Server Version 14039 and below. They also affected Trend Micro Apex One as a Service and Trend Vision One, but the company has deployed mitigations for those cloud‑hosted, SaaS-based solutions on July 31st.
Implement the temporary fix, then patch (in mid August)
The vulnerabilities were reported by Jacky Hsieh, a Senior Security Researcher at CoreCloud Tech, to Trend Micro on August 1st, 2025 (via the ZDI program). The ZDI advisories have been published on Tuesday and Trend Micro confirmed today that it “has observed as least one instance of an attempt to actively exploit one of these vulnerabilities in the wild.”
Though there’s no mention of these vulnerabilities having been exploited prior to Trend Micro being notified about them, attackers have leveraged zero-day vulnerabilities in Apex One in the past.
No additional details have been shared about the attacks, but Trend Micro noted that “for this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console’s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied.”
“However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible,” the company added.
Organizations running Apex One on-prem to implement the temporary fix and/or limit access to the console, and to install the critical patch once it becomes available later this month. (The patch will automatically restore the Remote Install Agent functionality the “fix tool” switched off.)
UPDATE (August 19, 2025, 03:15 a.m. ET):
CISA has added CVE-2025-54948 to its Known Exploited Vulnerabilities catalog.
Since the initial disclosure of the two vulnerabilities, Trend Micro has released a patch/update version of Trend Micro Apex One (on-prem) that plugs these security holes.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!