Warning: Actively Exploited 0-day Vulnerabilities in Trend Micro Apex One, Patch Immediately!

Image
Decorative image
Published : 06/08/2025
  • Last update: 06/08/2025
  • Affected software:
    → Trend Micro Apex One (on-premises): 2019 & Management Server Version 14039 and below
    → Apex One as a Service
    → Trend Vision One Endpoint Security - Standard Endpoint Protection
  • Type: Remote Code Execution (RCE)
  • CVE/CVSS
    → CVE-2025-54948: CVSSv3.1: 9.4 (CVSSv3.1:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H)
    → CVE-2025-54987: CVSSv3.1: 9.4 (CVSSv3.1:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H)

Sources

Vendor security bulletin - https://success.trendmicro.com/en-US/solution/KA-0020652
NVD - https://nvd.nist.gov/vuln/detail/CVE-2025-54948
NVD - https://nvd.nist.gov/vuln/detail/CVE-2025-54987

Risks

Successful exploitation of command injection vulnerabilities CVE-2025-54948 or CVE-2025-54987 affecting the management console of on-premises Trend Micro Apex One installations result in code execution on the underlying OS within the scope of the IUSR user. This could allow attackers to bypass security controls, steal sensitive data, and disrupt core operations.

The impact spans confidentiality, integrity, and availability risking data breaches, full system compromise, and operational downtime.

Trend Micro has observed at least one instance of an attempt to actively exploit one of these vulnerabilities in the wild.

Description

Trend Micro Apex One is an endpoint security platform. Both vulnerabilities affect the management console of this platform. This console listens on TCP ports 8080 and 4343 by default.

Both CVE-2025-54948 and CVE-2025-54987 allow unauthenticated remote attackers to upload malicious code and execute commands on affected installations. Successful exploitation allows execution of arbitrary server commands under the web‑server user account, potentially leading to data theft, further pivoting, or server takeover. The key difference between both vulnerabilities is the targeted CPU architecture.

Pending the publication of official patches, Trend Micro published a fix tool to mitigate the risks of successful exploitation of above vulnerabilities. The fix tool listed in the vendor bulletin is a short-term mitigation for on-premises Apex One installations, and while it will fully protect against known exploits, it will disable the ability for administrators to utilize the Remote Install Agent function to deploy agents from the Trend Micro Apex One Management Console. Other agent install methods such as UNC path or agent package are unaffected.

In addition, Trend Micro already implemented mitigation for the affected backed component of the following platforms during an out-of-band maintenance window on July 31, 2025:

  • Apex One as a Service
  • Trend Vision One Endpoint Security - Standard Endpoint Protection

A more formal Critical Patch for the Trend Micro Apex One Management Console (on-premises) is expected to be released around the middle of August 2025. This Critical Patch will also restore the Remote Install Agent functionality if applied after the fix tool above.

Trend Micro has observed as least one instance of an attempt to actively exploit one of these vulnerabilities in the wild.

Recommended Actions

Mitigate
The Centre for Cybersecurity Belgium strongly recommends installing the fix tool with the highest priority after thorough testing. The fix tool listed in the Trend Micro bulletin is a short-term mitigation, and while it will fully protect against known exploits, it will disable the ability for administrators to utilize the Remote Install Agent function to deploy agents from the Trend Micro Apex One Management. Other agent install methods such as UNC path or agent package are unaffected.

Patch
The Centre for Cybersecurity Belgium strongly recommends installing formal updates, once available, for vulnerable devices with the highest priority after thorough testing. Trend Micro expects this patch to be released around the middle of August 2025; This critical patch will also restore the Remote Install Agent functionality if applied after the fix tool above.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion. Trend Micro advised to review remote access to critical systems and ensure policies and perimeter security are up-to-date.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

Zero Day Initiative - https://www.zerodayinitiative.com/advisories/ZDI-25-771/
Zero Day Initiative - https://www.zerodayinitiative.com/advisories/ZDI-25-772/