Threat actors are exploiting two vulnerabilities impacting Trend Micro Apex One (on-prem) devices. Tracked as CVE-2025-54948 & CVE-2025-54987, the vulnerabilities may allow attackers to achieve remote code execution upon successful exploitation. Both vulnerabilities have a critical severity rating with a CVSS score of 9.4.
Trend Micro mentioned in the advisory that they had observed at least one instance of an attempt to exploit one of these vulnerabilities in the wild.
CISA acknowledged the vulnerability’s active exploitation by adding it to its Known Exploited Vulnerabilities Catalog and urging users to patch it before September 8, 2025.
Apex One is an on-premise and cloud-based endpoint security solution that helps small and large enterprises with virtual patching and threat detection. URL filtering, pre-execution machine learning, root cause analysis, and data encryption are some of its important features.
CVE-2025-54948: Management Console Command Injection Remote Code Execution Vulnerability
The vulnerability in the Trend Micro Apex One (on-prem) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.
CVE-2025-54987: Management Console Command Injection Remote Code Execution Vulnerability
The vulnerability in Trend Micro Apex One (on-prem) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.
NOTE: CVE-2025-54987 is essentially the same as CVE-2025-54948 but targets a different CPU architecture. For successful exploitation of the vulnerabilities, an attacker must have access (physical or remote) to a vulnerable machine.
Qualys Threat Intelligence provided a Qualys Vulnerability Score (QVS) of 95 for the vulnerability. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more.
Affected Versions
The vulnerabilities affect Trend Micro Apex One 2019 (On-Prem) Management Server Version 14039 and below.
Mitigation
Trend Micro released an emergency fix tool as a short-term mitigation tool to address vulnerabilities.
Trend Micro mentioned in the advisory, “The fix tool is a short-term mitigation, and while it will fully protect against known exploits, it will disable the ability for administrators to utilize the Remote Install Agent function to deploy agents from the Trend Micro Apex One Management Console (see below example for expected error message). Other agent install methods, such as UNC path or agent package, are unaffected.”
For more information, please visit the Trend Micro Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 383740 to detect vulnerable assets.
Please follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://success.trendmicro.com/en-US/solution/KA-0020652