Trend Micro Fixes Two Actively Exploited Apex One RCE Flaws
Trend Micro has issued a critical patch for two actively exploited vulnerabilities in its Apex One solution, which can be remotely executed through console injection.
The cybersecurity vendor confirmed that the two flaws, tracked as CVE-2025-54948 and CVE-2025-54987, have been exploited in the wild. Both are classified as command injection remote code execution (RCE) issues on Apex One Management Console (on-premise), with a CVSS score of 9.4.
"Trend Micro has observed at least one instance of an attempt to actively exploit one of these vulnerabilities in the wild," reads the advisory published by the company.
The two flaws were discovered by Jacky Hsieh @ CoreCloud Tech, who is also working with the Trend Zero Day Initiative. Trend Micro has deployed mitigations for Apex One as a Service as of July 31, 2025.
For on-premise users, a temporary fix tool is available, which blocks known exploits but disables the Remote Install Agent feature in the console. However, other install methods, such as UNC path or agent package, remain unaffected.
"Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date," concludes the advisory.
For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console's IP address exposed externally should consider mitigating factors such as source restrictions if not already applied.
Patch Status and Recommendations
Trend Micro recommends that all customers apply the patch as soon as possible. The temporary fix tool is available for on-premise users, while a full patch is expected by mid-August.
Customers are advised to review their remote access to critical systems and ensure that policies and perimeter security are up-to-date. Additionally, they should consider mitigating factors such as source restrictions if not already applied.
Understanding the Vulnerabilities
The two flaws, CVE-2025-54948 and CVE-2025-54987, are command injection remote code execution (RCE) issues on Apex One Management Console (on-premise).
"Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine," reads the advisory.
Prevention is Key
"Timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date," concludes the advisory.
By taking these steps, customers can significantly reduce the risk of exploitation and protect their systems from potential attacks.