Trend Micro Warns of Apex One Vulnerabilities Exploited in the Wild
August 12th, 2025
Critical
Our Cyber Threat Intelligence Unit is monitoring active exploitation of two recently disclosed vulnerabilities in Trend Micro Apex One (on-premise) Management Console, identified as CVE-2025-54948 and CVE-2025-54987. These pre-authentication command injection vulnerabilities allow unauthenticated remote attackers to execute arbitrary code on affected Management Console servers. Both vulnerabilities are critical due to the high privilege level of the targeted components, making them attractive targets for threat actors aiming to gain initial access, establish persistence, and disable endpoint protections. Trend Micro has issued a temporary Fix Tool (FixTool_Aug2025) to prevent exploitation; however, it disables the Remote Install Agent feature until the permanent patch is available in mid-August 2025. Given the widespread use of Trend Micro Apex One in enterprise environments and its crucial role in endpoint security, successful exploitation could result in extensive lateral movement, data theft, and defense evasion. The risk is highest in environments where the Management Console is publicly accessible or misconfigured.
Technical Details
Attack Type: Pre-Authentication Command Injection → Remote Code Execution.
Severity: Critical (CVSS 9.4).
CVE Identifiers:
CVE‑2025‑54948: Targets one CPU architecture.
CVE‑2025‑54987: Same vulnerability impacting a different CPU architecture.
Affected Components: Trend Micro Apex One (onpremise) Management Console (Apex One 2019, Management Server Version 14039 and earlier).
Exploitation: No authentication required; injection into vulnerable Management Console endpoints allows execution of arbitrary system commands with elevated privileges on the console server.
Mitigation Status: ‘FixTool_Aug2025’ is available and disables Remote Install Agent until patched. Permanent patch due mid-August 2025.
Attack Surface: Exploitation can occur over the network if the Management Console web interface is accessible.
Operational Impact: Console compromise facilitates adversary-controlled deployment of files or scripts to managed endpoints.
Exposure: Increased risk in internet-exposed or poorly segmented deployments.
Impact
Remote attackers can execute arbitrary code on the Apex One Management Console server, facilitating them to disable endpoint protections, evade detection, and move laterally within networks.
Successful attacks can compromise sensitive data, disrupt business operations, and result in data exfiltration or regulatory violations.
The widespread use of Trend Micro's products in enterprise environments increases the risk of broad exploitation across industries.
Organizations may face operational downtime, reputational damage, or regulatory scrutiny if compromised systems are involved in data handling or critical operations.
Detection Method
Monitor the Apex One Management Console Service for unexpected child processes.
Review web server logs for suspicious command injection patterns or anomalous POST requests to administrative endpoints.
Alerts on console-initiated deployments at atypical times, from unusual IPs, or targeting non-standard host groups.
Detect creation of scheduled tasks or Windows services by the console process that are not part of normal operations.
Correlate events from EDR, SIEM, and Apex One logs to identify abnormal command execution, privilege escalation attempts, or mass endpoint configuration changes.
Check for public exposure of Management Console ports and URLs via attack surface scanning.
Investigate any alerts related to endpoint protection disablement or tampering.
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Apply Trend Micro’s FixTool_Aug2025 immediately to all on-prem Management Consoles.
This blocks the exploit but disables the Remote Install Agent feature until patched.
Apex One-as-a-Service customers do not need to take action as mitigations were applied automatically on July 31, 2025.
Isolate or segment high-value systems to reduce lateral movement if an endpoint is compromised.
Strengthen Management Console configurations by enabling HTTPS, enforcing strong authentication, and restricting admin accounts.
Perform a forensic review of the console server for signs of compromise before applying patches.
Enhance monitoring and logging of endpoint activity during and after the patching process to identify any delayed exploitation attempts.
Educate security teams on the characteristics of the zero-day and indicators of compromise to facilitate quicker response.
Conclusion
The active exploitation of CVE-2025-54948 and CVE-2025-54987 in Trend Micro’s Apex One Management Console highlights how endpoint protection platforms themselves can be targeted as initial access points. Trend Micro has already observed at least one active in-the-wild exploit, prompting an urgent call for users to apply mitigations and updates immediately.
We urge organizations running Trend Micro Apex One to treat these systems as high-value assets, apply mitigations immediately, limit exposure, and be prepared for the mid-August patch deployment. Failing to act before the mid-August patch window risks leaving environments vulnerable to complete system compromise, data theft, and operational disruptions.