U.S. CISA Adds Trend Micro Apex One Flaw to Its Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Trend Micro's Apex One flaw to its Known Exploited Vulnerabilities (KEV) catalog, warning users of the potential for widespread attacks.
Trend Micro released fixes for two critical vulnerabilities, CVE-2025-54948 and CVE-2025-54987, in Apex One on-prem consoles earlier this month. Both issues are command injection remote code execution (RCE) issues on Apex One Management Console (on-premise), with a CVSS score of 9.4.
The cybersecurity vendor confirmed that both vulnerabilities were actively exploited in the wild, with at least one instance of an attempt to exploit one of these vulnerabilities reported in the wild.
Understanding the Vulnerabilities
The two flaws are command injection remote code execution (RCE) issues on Apex One Management Console (on-premise). According to Trend Micro, exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine.
For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console's IP address exposed externally should consider mitigating factors such as source restrictions if not already applied.
Federal Agency Guidance
CISA orders federal agencies to fix the vulnerabilities by September 08, 2025. The agency emphasizes the importance of timely patching and updating solutions to protect against attacks exploiting these flaws.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure, as part of their efforts to reduce the significant risk of known exploited vulnerabilities.
Available Fixes
Trend Micro has deployed mitigations for Apex One as a Service as of July 31, 2025. For on-premise users, a temporary fix tool is available, with a full patch expected by mid-August.
The tool blocks known exploits, but disables the Remote Install Agent feature in the console. According to Trend Micro, other install methods, like UNC path or agent package, remain unaffected.
Prevention and Mitigation Measures
CISA advises customers to review remote access to critical systems and ensure policies and perimeter security are up-to-date.
"Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date," concludes the advisory.
By taking proactive steps to patch and update their systems, organizations can reduce the risk of being exploited by these vulnerabilities and protect against potential attacks.
Stay Informed
Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest updates and information on known exploited vulnerabilities.