Trend Micro fixes two actively exploited Apex One RCE flaws

Threat Score:
73
13 articles
100.0% similarity
1 day ago

Activity Timeline

13 articles
Click to navigate
Aug 04
Aug 04
Aug 06
Aug 06
Aug 06
Aug 06
Aug 06
Aug 06
Aug 06
Aug 06
Aug 06
Aug 06
Aug 06
Oldest
Latest

Key Insights

1
Trend Micro has identified two critical remote code execution vulnerabilities, CVE-2025-54948 and CVE-2025-54987, in its Apex One Management Console, scoring 9.4 on the CVSS scale.
2
Active exploitation has been confirmed with Trend Micro observing at least one instance of an attack targeting the affected systems in the wild.
3
Both vulnerabilities allow unauthenticated remote attackers to upload malicious code and execute arbitrary commands on affected installations, particularly impacting Apex One 2019 Management Server Version 14039 and below.
4
A temporary mitigation tool, named 'FixTool_Aug2025', has been released to help protect customers while a formal patch is expected to be issued by mid-August 2025.
5
The vulnerabilities are being actively exploited, prompting warnings from Trend Micro and the Japanese Computer Emergency Response Team (CERT), urging users to implement immediate protective measures.
6
Enterprise security infrastructure is at risk, as the flaws not only target specific CPU architectures but also enable attackers to leverage command injection weaknesses.

Threat Overview

Trend Micro has issued a critical security advisory regarding two remote code execution vulnerabilities, CVE-2025-54948 and CVE-2025-54987, found in its Apex One on-premise management console. Both vulnerabilities carry a maximum CVSS score of 9.4, indicating a severe threat to enterprise networks worldwide. The company confirmed on August 5, 2025, that at least one instance of active exploitation has been observed, prompting urgent action from affected organizations. 'A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations,' the advisory stated.

The vulnerabilities arise from command injection weaknesses that enable attackers to bypass authentication and execute arbitrary commands on systems running unpatched software. Specifically, these vulnerabilities impact the Trend Micro Apex One 2019 Management Server Version 14039 and below. While CVE-2025-54948 and CVE-2025-54987 are fundamentally the same, they differ in their targeting of different CPU architectures, expanding the potential attack surface for malicious actors.

Trend Micro has taken steps to mitigate the risks associated with these vulnerabilities, releasing a temporary tool named 'FixTool_Aug2025' to provide immediate protection. However, the tool disables the Remote Install Agent function for administrators, raising concerns about its usability. A formal patch addressing the vulnerabilities is anticipated to be released by mid-August 2025. The urgency of these vulnerabilities is further emphasized by the Japanese CERT, which has also issued an alert recommending immediate action.

Security experts have highlighted the implications of these vulnerabilities, noting that they could lead to severe breaches in enterprise security infrastructure. 'An unauthenticated attacker with network or physical access to a vulnerable machine can upload arbitrary files, allowing the attacker to execute commands and achieve code execution,' explained a representative from Tenable. The vulnerabilities exploit a lack of proper validation in user-supplied strings before executing system calls, which can allow attackers to execute code in the context of the system user.

As organizations work to secure their systems, Trend Micro emphasizes the importance of immediate updates. 'While it will fully protect against known exploits, we strongly encourage customers to update to the latest builds as soon as possible,' the advisory concluded. Businesses utilizing Apex One are urged to implement the temporary mitigation tool and prepare for the upcoming patch to safeguard their systems against these critical vulnerabilities.

Tactics, Techniques & Procedures (TTPs)

T1203
Exploit Public-Facing Application - Attackers exploit command injection vulnerabilities in the Apex One Management Console to execute arbitrary commands [1][2]
T1068
Execution with Unprivileged Actor - The flaw allows pre-authenticated attackers to execute code without needing elevated privileges [3][4]
T1071.001
Application Layer Protocol: Web Protocols - Exploitation involves sending crafted requests to the Apex One console, which listens on specific TCP ports [5][6]
T1485
Data Destruction - Successful exploitation could be leveraged to manipulate or delete critical security configurations [7]
T1211
Exploitation for Client Execution - Attackers could use the vulnerabilities to deploy further malicious payloads on compromised systems [8]
T1070
Indicator Removal on Host - Attackers may cover their tracks after exploiting the vulnerabilities, potentially erasing logs of their activities [9]
T1040
Network Sniffing - The vulnerabilities could allow attackers to gain insights into network traffic by executing code that captures sensitive information [10]

Timeline of Events

2025-08-05
Trend Micro issues a security advisory disclosing the existence of critical vulnerabilities CVE-2025-54948 and CVE-2025-54987 [1][2]
2025-08-06
Trend Micro confirms active exploitation of vulnerabilities in the wild, prompting the release of a temporary mitigation tool [3][4]
2025-08-06
Japanese CERT issues an alert regarding the vulnerabilities, urging users to take immediate protective measures [5]
2025-08-06
Trend Micro announces a formal patch is expected to be released by mid-August 2025 [6][7]

Source Citations

expert_quotes: {'Japanese CERT alert': 'Article 5', 'Trend Micro advisory': 'Article 2', 'Security expert analysis': 'Article 3'}
primary_findings: {'Impact details': 'Articles 7, 9', 'Vulnerability disclosure': 'Articles 1, 2, 4', 'Active exploitation evidence': 'Articles 3, 6'}
technical_details: {'Mitigation measures': 'Articles 2, 5', 'Vulnerability specifics': 'Articles 1, 3'}
Powered by ThreatCluster AI
Generated 8 hours ago
Recent Analysis
AI analysis may contain inaccuracies

Related Articles

13 articles
1

Trend Micro fixes two actively exploited Apex One RCE flaws

Security Affairs 13 hours ago

Trend Micro patched two critical Apex One flaws (CVE-2025-54948, CVE-2025-54987) exploited in the wild, allowing RCE via console injection. Trend Micro released fixes for two critical vulnerabilities, tracked as CVE-2025-54948 and CVE-2025-54987 (CVSS score of 9.4), in Apex One on-prem consoles. The cybersecurity vendor confirmed that both issues were actively exploited in the wild. Both […]

Score
78
100.0% similarity
Read more
2

CVE-2025-54987, CVE-2025-54948: Trend Micro Apex One Command Injection Zero-Days Exploited In The Wild

Tenable 10 hours ago

Trend Micro releases a temporary mitigation tool to reduce exposure to two unpatched zero-day command injection vulnerabilities which have been exploited. Background On August 5, Trend Micro released a security advisory for two critical flaws affecting on-prem versions of Apex One Management Console. According to the advisory, Trend Micro has observed active exploitation of the vulnerabilities. CVE Description CVSSv3 CVE-2025-54987 Trend Micro Apex One Management Console Command Injection Vulner

Score
73
100.0% similarity
Read more
3

Attackers Exploit Critical Trend Micro Apex One Zero-Day Flaw

Dark Reading 13 hours ago

Two critical vulnerabilities affect the security vendor's management console, one of which is under active exploitation. The company has updated cloud-based products but won't have a patch for its on-premises version until mid-August.

Score
71
100.0% similarity
Read more
5

Trend Micro Apex One Hit by Actively Exploited RCE Vulnerability

GB Hackers 20 hours ago

Trend Micro Apex One Hit by Actively Exploited RCE Vulnerability Trend Micro has issued an urgent security bulletin warning customers of critical remote code execution vulnerabilities in its Apex One on-premise management console that are being actively exploited by attackers in the wild. The cybersecurity company disclosed twocommand injectionflaws on August 5, 2025, both carrying a maximum CVSS score of 9.4, indicating the severity of the threat to enterprise networks worldwide. Critical Vulne

Score
64
100.0% similarity
Read more
6

CC-4687 - Critical RCE Vulnerabilities in Trend Micro Apex One

NHS Digital Cyber Alerts 16 hours ago

Critical RCE Vulnerabilities in Trend Micro Apex One Trend Micro reports active exploitation of management console command injection RCE vulnerability Summary Trend Micro reports active exploitation of management console command injection RCE vulnerability Affected platforms The following platforms are known to be affected: Trend Micro Apex One Apex One (on-prem) 2019 Management Server Version 14039 and below The following platforms are also known to be affected: Other Trend platforms have alrea

Score
63
100.0% similarity
Read more
7
Trend Micro warns of Apex One zero-day exploited in attacks

Trend Micro warns of Apex One zero-day exploited in attacks

BleepingComputer 19 hours ago

Trend Micro warns of Apex One zero-day exploited in attacks Sergiu Gatlan August 6, 2025 06:06 AM 0 Trend Micro has warned customers to immediately secure their systems against an actively exploited remote code execution vulnerability in its Apex One endpoint security platform. Apex Oneis an endpoint security platform designed to automatically detect and respond to threats, including malicious tools, malware, and vulnerabilities. This critical security flaw (tracked asCVE-2025-54948andCVE-2025-5

Score
62
100.0% similarity
Read more
9

Trend Micro Confirms Active Exploitation of Critical Apex One Flaws in On-Premise Systems

The Hacker News 20 hours ago

Trend Micro has released mitigations to address critical security flaws in on-premise versions of Apex One Management Console that it said have been exploited in the wild. The vulnerabilities (CVE-2025-54948andCVE-2025-54987), both rated 9.4 on the CVSS scoring system, have been described as management console command injection and remote code execution flaws. "A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malici

Score
59
100.0% similarity
Read more
10
Trend Micro Apex One flaws exploted in the wild (CVE-2025-54948, CVE-2025-54987)

Trend Micro Apex One flaws exploted in the wild (CVE-2025-54948, CVE-2025-54987)

Feeds2 17 hours ago

Trend Micro Apex One flaws exploted in the wild (CVE-2025-54948, CVE-2025-54987) Unauthenticated command injection vulnerabilities (CVE-2025-54948, CVE-2025-54987) affecting the on-premise version of Trend Micro’s Apex One endpoint security platform are being probed by attackers, the company has warned on Wednesday. Unfortunately for those organizations that use it, a patch is still in the works and is expected to be released around the middle of August 2025. But the company has provided a “fix

Score
57
100.0% similarity
Read more
11

Critical Trend Micro Apex One Management RCE Vulnerability Actively Exploited in the wild

Cybersecurity News 21 hours ago

Critical command injection remote code execution (RCE) vulnerabilities in Trend Micro Apex One Management Console are currently being actively exploited by threat actors.  The company confirmed observing at least one instance of attempted exploitation in production environments, prompting the immediate release of emergency mitigation tools. Key Takeaways1. Two RCE vulnerabilities actively exploited in Trend Micro […]

Score
57
100.0% similarity
Read more
12
NA - CVE-2025-54948 - A vulnerability in Trend Micro Apex One...

NA - CVE-2025-54948 - A vulnerability in Trend Micro Apex One...

Security Database 2 days ago

Executive Summary Security-Database Scoring CVSS v3 Security-Database Scoring CVSS v2 Detail A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. Original Source Sources (Detail) Alert History What's yourEmail? What's yourPassword? First insertion

Score
48
99.0% similarity
Read more
13
NA - CVE-2025-54987 - A vulnerability in Trend Micro Apex One...

NA - CVE-2025-54987 - A vulnerability in Trend Micro Apex One...

Security Database 2 days ago

Executive Summary Security-Database Scoring CVSS v3 Security-Database Scoring CVSS v2 Detail A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture. Original Source Sources (Detail) Alert History What's yourEmail? What's yourPassword? First insertion

Score
48
99.0% similarity
Read more