Executive Summary

Trend Micro has released urgent security patches addressing two critical remote code execution (RCE) vulnerabilities in the Apex One (on-premise) Management Console, identified as CVE-2025-54948 and CVE-2025-54987. Both vulnerabilities are rated CVSS 9.4 (Critical) and have been confirmed as exploited in the wild. These flaws enable pre-authenticated remote attackers to upload malicious code and execute arbitrary commands on affected systems, posing a severe risk to enterprise environments. Immediate patching and mitigation are strongly advised to prevent compromise, especially for organizations with externally accessible management consoles.

Technical Information

The vulnerabilities, CVE-2025-54948 and CVE-2025-54987, are both classified as OS Command Injection (CWE-78) flaws within the Trend Micro Apex One (on-premise) Management Console. Both issues allow a remote, unauthenticated attacker to execute arbitrary system commands with the privileges of the management server process. The vulnerabilities are present in Apex One version 2019, specifically Management Server Version 14039 and below.

CVE-2025-54948 is triggered by improper sanitization of user-supplied input in the management console’s web interface. An attacker can craft a specially designed HTTP request that injects operating system commands, which are then executed by the server. This allows for the upload and execution of malicious payloads, lateral movement, and potential full compromise of the underlying host.

CVE-2025-54987 is a similar command injection vulnerability, affecting a different CPU architecture but with the same impact and exploitation vector. Both vulnerabilities are pre-authentication, meaning no valid credentials are required for exploitation, significantly increasing the attack surface.

The vulnerabilities were disclosed through the Zero Day Initiative (ZDI) as ZDI-25-771 and ZDI-25-772. The attack vector is network-based, requiring only access to the management console’s listening port. The vulnerabilities are not dependent on user interaction, and exploitation can be automated.

The technical impact includes arbitrary code execution, privilege escalation, installation of backdoors, data exfiltration, and the potential for attackers to disable or manipulate endpoint protection across the enterprise. The vulnerabilities are particularly dangerous in environments where the management console is exposed to the internet or accessible from untrusted networks.

Exploitation in the Wild

Trend Micro has confirmed at least one exploitation attempt in the wild. Attackers are actively scanning for exposed Apex One management consoles and leveraging these vulnerabilities to gain initial access. The observed tactics, techniques, and procedures (TTPs) include sending crafted HTTP requests to the management console, exploiting the command injection flaw to execute arbitrary commands, and deploying malicious payloads.

No public proof-of-concept (PoC) exploit code has been released as of this report, but the technical simplicity of the attack vector and the criticality of the vulnerabilities suggest that exploitation attempts are likely to increase. Organizations with externally accessible management consoles are at the highest risk, but internal threat actors or compromised internal hosts could also exploit these flaws.

Indicators of compromise (IOCs) include unexpected command execution logs, unauthorized uploads to the management console, and anomalous outbound connections originating from the management server. The SHA-256 hash for the official Trend Micro FixTool_Aug2025.exe is a9f3de1e8d15b6128aadeb8b5d99dba0d1d08500ccb4a16d58280750c620bab0, which should be used to verify the authenticity of the mitigation tool.

APT Groups using this vulnerability

As of this report, there is no confirmed attribution to specific advanced persistent threat (APT) groups exploiting CVE-2025-54948 or CVE-2025-54987. However, the exploitation method aligns with tactics commonly used by both financially motivated cybercriminals and state-sponsored actors targeting enterprise security infrastructure. The vulnerabilities’ characteristics—pre-authentication, remote code execution, and targeting of security management infrastructure—make them attractive to a wide range of threat actors.

The MITRE ATT&CK techniques associated with these vulnerabilities are T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter). While no APT group has been publicly linked to these specific CVEs, similar vulnerabilities in security management products have historically been exploited by groups such as APT41, FIN7, and UNC2452. Organizations should remain vigilant for signs of sophisticated intrusion attempts and monitor threat intelligence sources for updates.

Affected Product Versions

The affected products are Trend Micro Apex One (on-premise) version 2019, specifically Management Server Version 14039 and below, running on Windows platforms in English language environments. Apex One as a Service and Vision One Endpoint Security are not affected, as out-of-band mitigations were applied prior to public disclosure.

Any organization running the on-premise version of Apex One with a management server version at or below 14039 is vulnerable. It is critical to verify the current version and apply the necessary patches or mitigation tools as outlined by Trend Micro.

Workaround and Mitigation

Trend Micro has released both short-term and permanent mitigation solutions. The immediate workaround is the deployment of FixTool_Aug2025, released on August 6, 2025. This tool disables the Remote Install Agent function in the management console, effectively blocking the exploitation vector. The SHA-256 hash for the FixTool is provided above for verification purposes.

The permanent fix is included in Critical Patch SP1 CP B14081, released on August 15, 2025. This patch not only addresses the vulnerabilities but also restores the Remote Install Agent functionality. Organizations are strongly advised to apply this patch as soon as possible.

For customers using Apex One as a Service or Vision One Endpoint Security, no action is required, as Trend Micro has already applied out-of-band mitigations.

Additional mitigation steps include restricting network access to the management console, ensuring it is not exposed to the internet, and reviewing firewall rules to limit access to trusted administrative hosts only. Continuous monitoring for suspicious activity, such as unauthorized uploads or unexpected command execution, is also recommended.

If the FixTool was applied successfully before August 6, 2025, no reapplication is necessary. However, all organizations should proceed to deploy the permanent patch to ensure full remediation and restoration of functionality.

References

For further technical details and official advisories, consult the following resources:

• Trend Micro Official Advisory

• CISA Known Exploited Vulnerabilities Catalog

• NVD CVE-2025-54948

• Zero Day Initiative ZDI-25-771

• Zero Day Initiative ZDI-25-772

Rescana is here for you

At Rescana, we understand the critical importance of timely vulnerability management and third-party risk reduction. Our TPRM platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their entire digital supply chain. While this advisory focuses on the latest Trend Micro Apex One vulnerabilities, our platform is designed to help you stay ahead of emerging threats, streamline compliance, and enhance your overall security posture. If you have any questions about this advisory or require assistance with incident response, please contact us at ops@rescana.com. We are here to support your cybersecurity needs.