Affected and Previously Impacted Version(s)
| Product | Affected Version(s) | Platform | Language(s) |
|---|---|---|---|
| Trend Micro Apex One (on-prem) |
2019 Management Server Version 14039 and below |
Windows | English |
| Trend Micro Apex One as a Service | N/A* | Windows | English |
| Trend Vision One™ Endpoint Security - Standard Endpoint Protection |
N/A* | Windows | English |
Solution
Trend Micro has released the following mitigations to address the issue:
| Product | Updated version | Notes | Platform | Availability |
|---|---|---|---|---|
| Trend Micro Apex One (on-prem) |
(Short Term Mitigation) |
Updated on Aug. 6, 2025** | Windows | Now Available |
| Trend Micro Apex One (on-prem) | SP1 CP B14081 | Readme | Windows | Now Available |
|
Trend Micro Apex One as a Service* Trend Vision One™ Endpoint |
July 31, 2025 Implemented Mitigation |
Windows | Already Deployed |
- * - Trend Micro Apex One™ as a Service and Trend Vision One Endpoint Security - Standard Endpoint Protection details have been included strictly for historical informational purposes since the affected backend component for these two have already been mitigated in an out-of-band maintenance on July 31, 2025. No service downtime was required during the mitigation setting implementation.
- ** - SHA-256 for updated FixTool_Aug2025.exe: a9f3de1e8d15b6128aadeb8b5d99dba0d1d08500ccb4a16d58280750c620bab0. Please note that the original version of the tool released on August 5th was reported to fail in some non-standard customer configurations, so an updated version was uploaded on Aug. 6, 2025. There is no need to reapply the tool if the original one was already applied successfully.
Click the image to enlarge.
A permanent Critical Patch for the Trend Micro Apex One Managment Console (on-prem) was released on August 15, 2025. This Critical Patch restores the Remote Install Agent functionality if applied after the fixtool above.
Vulnerability Details
- CVE-2025-54948: Management Console Command Injection RCE Vulnerability
ZDI-25-771
CVSSv3.1: 9.4: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
Weakness: CWE-78: OS Command InjectionA vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.
- CVE-2025-54987: Management Console Command Injection RCE Vulnerability
ZDI-25-772
CVSSv3.1: 9.4: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
Weakness: CWE-78: OS Command InjectionA vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture.
Mitigating Factors
Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.
For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console’s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied.
However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.
Acknowledgement
Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:
- Trend Micro Incident Response (IR) Team (CVE-2025-54948)
- Jacky Hsieh @ CoreCloud Tech working with Trend Zero Day Initiative (CVE-2025-54948 and CVE-2025-54987)
External Reference(s)
The following advisories may be found at the Trend Zero Day Initiative Published Advisories site:
- ZDI-25-771
- ZDI-25-772