TT-CSIRT – 445.06.08.25 – Critical RCE Vulnerabilities in Trend Micro Apex One (On-Premise) Management Console
Please be advised that Trend Micro has identified and issued mitigations for two critical command injection vulnerabilities, CVE-2025-54948 and CVE-2025-54987, affecting the Apex One (On-Premise) Management Console. Both vulnerabilities may allow unauthenticated remote attackers to execute arbitrary commands on affected systems.
Importantly, Trend Micro has observed active exploitation attempts in the wild (ITW) for at least one of these vulnerabilities.
Impact
- Remote Code Execution (RCE): Vulnerabilities allow unauthenticated, pre-authenticated attackers to execute arbitrary OS commands via the Apex One Management Console.
- Multiple CPU Architectures Affected: Exploitation affects various system architectures, increasing potential exposure.
Mitigating Factors
- Exploitation requires access (physical or remote) to the Apex One Management Console.
- Systems with externally exposed console IPs are at higher risk.
- It is recommended to:
- Restrict access to the console via IP allowlisting.
- Review and harden perimeter firewall and remote access policies.
Affected and Previously Impacted Version(s)
| Product | Affected Version(s) | Platform | Language |
| Trend Micro Apex One (On-Prem) | 2019 – Management Server v14039 and below | Windows | English |
| Trend Micro Apex One as a Service | N/A* | Windows | English |
| Trend Vision One™ Endpoint Security | N/A* | Windows | English |
Solution: Update Firmware
Trend Micro has released the following mitigations to address the issue:
| Product | Updated version | Notes | Platform | Availability |
| Trend Micro Apex One (on-prem) | FixTool_Aug2025 (Short-Term Mitigation) | Updated on Aug. 6, 2025** | Windows | Now Available |
| Trend Micro Apex One as a Service* Trend Vision One™ Endpoint Security – Standard Endpoint Protection | July 31, 2025 Implemented Mitigation | Windows | Already Deployed |
Recommendations
- Immediately apply FixTool_Aug2025 if running affected on-prem versions.
- Monitor systems for unusual activity.
- Prepare to deploy the critical patch once available in mid-August.
- Consider limiting external exposure of the management console.
- Review and update user credentials and access controls regularly.
References
- https://success.trendmicro.com/en-US/solution/KA-0020652
- https://nvd.nist.gov/vuln/detail/CVE-2025-54987
- https://nvd.nist.gov/vuln/detail/CVE-2025-54948
If you have any queries, comments, or require assistance, please feel free to contact TT-CSIRT via contacts@ttcsirt.gov.tt .
