Trend Micro fixes two actively exploited Apex One RCE flaws

Trend Micro patched two critical Apex One flaws (CVE-2025-54948, CVE-2025-54987) exploited in the wild, allowing RCE via console injection.

Trend Micro released fixes for two critical vulnerabilities, tracked as CVE-2025-54948 and CVE-2025-54987 (CVSS score of 9.4), in Apex One on-prem consoles. The cybersecurity vendor confirmed that both issues were actively exploited in the wild.

Both vulnerabilities are command injection remote code execution (RCE) issues on Apex One Management Console (on-premise).

“Trend Micro has observed as least one instance of an attempt to actively exploit one of these vulnerabilities in the wild.” reads the advisory published by the company.

The company did not publish details about the attacks exploiting these vulnerabilities.

Below are the descriptions of the two flaws:

• CVE-2025-54948: A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.
• CVE-2025-54987: A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture.

Jacky Hsieh @ CoreCloud Tech working with Trend Zero Day Initiative reported both CVE-2025-54948 and CVE-2025-54987.

Trend Micro has deployed mitigations for Apex One as a Service as of July 31, 2025. For on-premise users, a temporary fix tool is available, with a full patch expected by mid-August. While the tool blocks known exploits, it disables the Remote Install Agent feature in the console. According to the advisory, other install methods, like UNC path or agent package, remain unaffected.

“Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.” concludes the advisory.

For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console’s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied.“

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apex One)