CISA has issued a critical warning regarding a high-severity OS command injection vulnerability in Trend Micro Apex One Management Console that threat actors are actively exploiting in the wild.
The vulnerability, tracked as CVE-2025-54948 and classified under CWE-78, poses significant risks to organizations running on-premise installations of the enterprise security platform.
Key Takeaways
1. CISA confirms CVE-2025-54948 attacks on Trend Micro Apex One.
2. Remote attackers execute OS commands without authentication on on-premise systems.
3. Patch immediately or discontinue use if unavailable.
OS Command Injection Flaw (CVE-2025-54948)
The CVE-2025-54948 vulnerability affects Trend Micro Apex One Management Console on-premise deployments, creating a dangerous attack vector for pre-authenticated remote attackers.
This OS command injection flaw enables malicious actors to upload arbitrary code and execute system commands on compromised installations, potentially leading to complete system compromise.
The vulnerability stems from insufficient input validation within the management console interface, allowing attackers to inject malicious OS commands through specially crafted requests.
Once exploited, the flaw grants attackers the ability to execute arbitrary commands with the privileges of the application, effectively bypassing security controls and gaining unauthorized access to sensitive systems.
Security researchers have classified this vulnerability under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating inadequate sanitization of user-supplied input before passing it to system command execution functions.
The pre-authenticated nature of the exploit makes it particularly concerning, as attackers do not require valid credentials to leverage the vulnerability.
| Risk Factors | Details |
| Affected Products | Trend Micro Apex One Management Console (on-premise installations) |
| Impact | Remote code execution, arbitrary command execution |
| Exploit Prerequisites | Pre-authenticated remote access |
| CVSS 3.1 Score | 9.8 (Critical) |
Mitigations
CISA has added CVE-2025-54948 to its Known Exploited Vulnerabilities Catalog on August 18, 2025, with a mandatory remediation deadline of September 8, 2025, for federal agencies.
The agency strongly recommends that organizations apply vendor-provided mitigations immediately or discontinue use of affected products if patches are unavailable.
While it remains unknown whether this vulnerability has been incorporated into ransomware campaigns, the active exploitation status indicates sophisticated threat actors are already weaponizing this flaw.
Organizations should prioritize patching efforts and implement additional network segmentation controls around Apex One deployments as interim protective measures.
Trend Micro has released security advisories and remediation guidance through its technical support channels.
System administrators should immediately review their Apex One Management Console deployments, apply available security updates, and monitor for suspicious authentication attempts or unusual system command execution patterns.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
Source link
