Trend Micro Apex One (On-Prem) Zero-day Vulnerabilities Exploited in the Wild (CVE-2025-54948 & CVE-2025-54987)

Threat actors are exploiting two vulnerabilities impacting Trend Micro Apex One  (on-prem) devices. Tracked as CVE-2025-54948 & CVE-2025-54987, the vulnerabilities may allow attackers to achieve remote code execution upon successful exploitation. Both vulnerabilities have a critical severity rating with a CVSS score of 9.4.

Trend Micro mentioned in the advisory that they had observed at least one instance of an attempt to exploit one of these vulnerabilities in the wild.

Apex One is an on-premise and cloud-based endpoint security solution that helps small and large enterprises with virtual patching and threat detection. URL filtering, pre-execution machine learning, root cause analysis, and data encryption are some of its important features.

CVE-2025-54948: Management Console Command Injection Remote Code Execution Vulnerability

The vulnerability in the Trend Micro Apex One (on-prem) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.

CVE-2025-54987: Management Console Command Injection Remote Code Execution Vulnerability

The vulnerability in Trend Micro Apex One (on-prem) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.

NOTE: CVE-2025-54987 is essentially the same as CVE-2025-54948 but targets a different CPU architecture. For successful exploitation of the vulnerabilities, an attacker must have access (physical or remote) to a vulnerable machine.

Affected Versions

The vulnerabilities affect Trend Micro Apex One 2019 (On-Prem) Management Server Version 14039 and below.

Mitigation

Trend Micro released an emergency fix tool as a short-term mitigation tool to address vulnerabilities.

Trend Micro mentioned in the advisory, “The fix tool is a short-term mitigation, and while it will fully protect against known exploits, it will disable the ability for administrators to utilize the Remote Install Agent function to deploy agents from the Trend Micro Apex One Management Console (see below example for expected error message). Other agent install methods, such as UNC path or agent package, are unaffected.”

For more information, please visit the Trend Micro Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QID 383740 to detect vulnerable assets.

Please follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://success.trendmicro.com/en-US/solution/KA-0020652

Leave a Reply

Your email address will not be published. Required fields are marked *