Critical Security Flaws Identified in Trend Micro Apex One
Trend Micro has recently unveiled important mitigations addressing serious security flaws within the on-premise versions of its Apex One Management Console. These vulnerabilities have been actively exploited, raising significant concerns within the cybersecurity community.
Understanding the Vulnerabilities
Two critical vulnerabilities, identified as CVE-2025-54948 and CVE-2025-54987, have been marked with a high severity score of 9.4 on the CVSS scale. They are classified as command injection vulnerabilities in the management console, posing a risk of remote code execution.
According to Trend Micro, these vulnerabilities allow attackers to upload malicious code and execute commands remotely without pre-authentication. This means a malicious actor can potentially exploit the weakness without needing an account or prior access to the system, making it all the more dangerous.
Key Differences Between the Vulnerabilities
While both vulnerabilities are fundamentally similar, there is a notable distinction. CVE-2025-54987 specifically targets a different CPU architecture, which may have implications for various installations. The Trend Micro Incident Response Team, along with Jacky Hsieh from CoreCloud Tech, played a vital role in bringing these flaws to light.
Real-World Exploitation Risks
As of now, specifics surrounding the methods utilized in actual attacks remain scarce. However, Trend Micro has confirmed observing at least one attempt to exploit these vulnerabilities in a real-world scenario. This underscores the urgency for affected users to secure their systems promptly.
Mitigation Strategies Implemented
On July 31, 2025, mitigations were rolled out for both Trend Micro Apex One as a Service and Trend Vision One Endpoint Security – Standard. For on-premise versions, users have access to a temporary fix tool designed to address these vulnerabilities. A comprehensive patch is anticipated for release by mid-August 2025.
It’s essential to note that while the temporary tool protects against known exploits, it will disable the Remote Install Agent function within the Management Console. Nevertheless, other installation methods, such as using UNC paths or agent packages, remain unaffected.
Guidelines for Enhanced Security
Trend Micro has highlighted that exploiting these vulnerabilities typically requires an attacker to gain physical or remote access to a vulnerable system. As a preventive measure, organizations are urged to apply patches and update their security solutions promptly. Additionally, reviewing remote access policies and ensuring perimeter security measures are up to date is crucial.
For further protection, businesses should restrict access to the Trend Micro Apex One Management Console, especially if the console’s IP address is exposed to the internet. Implementing source restrictions is an advisable step to mitigate potential risks.
