Trend Micro has issued a critical alert regarding two actively exploited zero-day vulnerabilities in its Apex One endpoint security platform. These vulnerabilities are due to command injection flaws in the Apex One Management Console (on-premise) that allow pre-authenticated remote code execution. The company has released a mitigation tool and is planning to publish a permanent fix mid-August 2025.
Severity Level: Critical
Vulnerability Details
1. CVE IDs: CVE-2025-54948 and CVE-2025-54987
2. CVSS Score: 9.4
3. Weakness: CWE-78 (OS Command Injection)
4. Description: Pre-authenticated remote code execution via malicious code injection on the management console.
5. Exploitation in the Wild
- At least one confirmed exploitation attempt has been observed.
- Successful exploitation does not require authentication.
- Exploits require access to the Apex One Management Console, making internet-exposed systems particularly vulnerable.
6. Affected Products
- Trend Micro Apex One (on-prem) 2019, Management Server Version 14039 and below
- Trend Micro Apex One as a Service
- Trend Vision One™ Endpoint Security – Standard Endpoint Protection
7. Fixed Version / Patch Info
| Product | Fix / Mitigation | Availability |
| Apex One (On-Premise) | FixTool_Aug2025 (Short Term Mitigation) | Available Now |
| Apex One as a Service | Out-of-band mitigation (Jul 31) | Already Deployed |
| Vision One Endpoint Protection | Out-of-band mitigation (Jul 31) | Already Deployed |
A full critical patch for the on-premise version is expected mid-August 2025 and will restore Remote Install Agent functionality disabled by the temporary fix.
Recommendations
- Restrict console access to trusted IP ranges only. Use firewall policies to block all inbound connections to the Apex One Management Console from public or untrusted networks.
- Immediately deploy the FixTool_Aug2025.exe mitigation tool provided by Trend Micro. SHA-256: c945a885a31679a913802a2aefde52b672bb2c8ac98bbed52b723e6733c0eadc. Be aware this disables Remote Install Agent functionality.
- Plan for prompt deployment of the official critical patch, expected mid-August 2025, once it becomes available. Monitor the official advisory page for updates.
Source:
- https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-endpoint-protection-zero-day-exploited-in-attacks/
- https://success.trendmicro.com/en-US/solution/KA-0020652
- https://www.jpcert.or.jp/english/at/2025/at250016.html
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.