PoC released for unauthenticated RCE in Trend Micro Apex Central (CVE-2025-69258)
Trend Micro has released a critical patch fixing several remotely exploitable vulnerabilities in Apex Central (on-premise), including a flaw (CVE-2025-69258) that may allow unauthenticated attackers to achieve code execution on affected installations.
The three vulnerabilities were unearthed and privately reported by Tenable bug hunters last year, and they now published technical details and PoC exploits for each.
CVE-2025-69258 and the other flaws
Apex Central on-premise is a central management platform through which IT/security teams manage, configure, update and monitor other Trend Micro security products and services deployed by the organization “at the gateway, mail server, file server, and corporate desktop levels.”
The on-premise server and SQL database are installed and maintained on organizations’ own hardware or virtual machines.
The most critical of the three vulnerabilities is CVE-2025-69258, a vulnerability that could allow unauthenticated attackers to load a malicious DLL into the solution’s MsgReceiver.exe process and execute it with SYSTEM privileges.
Like CVE-2025-69258, CVE-2025-69259 and CVE-2025-69260 can also be triggered by unauthenticated attackers sending a specially crafted message to the MsgReceiver.exe process, which listens on default TCP port 20001. Unlike CVE-2025-69258, these can cause a denial of service condition on vulnerable installations.
The vulnerabilities have been fixed in Apex Central (on-premise) Critical Patch Build 7190, and affect all previous releases. Trend Micro “strongly encourages” customers to update to this latest build as soon as possible.
“Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date,” the company also advised.
There’s currently no mention of the flaws being actively leveraged by attackers, but with the PoCs having been made public, there’s no doubt some will search for vulnerable internet-facing installations and try their luck.
Organizations that have deployed Apex Central on-premise should patch sooner rather than later.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!