Critical Trend Micro Apex One Management RCE Vulnerability Actively Exploited in the wild
Critical command injection remote code execution (RCE) vulnerabilities in Trend Micro Apex One Management Console are currently being actively exploited by threat actors.
The company confirmed observing at least one instance of attempted exploitation in production environments, prompting the immediate release of emergency mitigation tools.
Key Takeaways
1. Two RCE vulnerabilities actively exploited in Trend Micro Apex One Management Console.
2. Trend Micro released FixTool_Aug2025.exe for immediate protection.
3. Apply emergency fix now for Apex One Management Server Version 14039 and below.
Command Injection RCE Vulnerabilities
Two critical vulnerabilities have been identified in Trend Micro Apex One (on-premise) systems, designated as CVE-2025-54948 and CVE-2025-54987.
Both vulnerabilities carry a CVSS 3.1 score of 9.4, indicating maximum severity risk. These command injection flaws, categorized under CWE-78: OS Command Injection, allow pre-authenticated remote attackers to upload malicious code and execute arbitrary commands on affected installations.
The vulnerabilities specifically target Trend Micro Apex One Management Server Version 14039 and below on Windows platforms.
CVE-2025-54987 represents essentially the same vulnerability as CVE-2025-54948 but targets different CPU architectures, expanding the potential attack surface.
Security researchers from Trend Micro’s Incident Response Team and Jacky Hsieh from CoreCloud Tech, working with the Trend Zero Day Initiative, are credited with responsibly disclosing these critical security flaws.
The attack vector requires attackers to have access to the Trend Micro Apex One Management Console, making organizations with externally exposed console IP addresses particularly vulnerable.
However, the pre-authenticated nature of these exploits means that once attackers gain initial access, they can escalate privileges and execute system-level commands without additional authentication barriers.
| CVE ID | Title | CVSS 3.1 Score | Severity |
| CVE-2025-54948 CVE-2025-54987 |
Management Console Command Injection RCE Vulnerability | 9.4 | CRITICAL |
Mitigations
Trend Micro has released an emergency fix tool designated FixTool_Aug2025.exe with SHA-256 hash c945a885a31679a913802a2aefde52b672bb2c8ac98bbed52b723e6733c0eadc to provide immediate protection against known exploits.
This short-term mitigation fully protects against current attack methods but temporarily disables the Remote Install Agent function for deploying agents from the Management Console.
Organizations using Trend Micro Apex One as a Service and Trend Vision One Endpoint Security received automatic protection through backend mitigations deployed on July 31, 2025, requiring no service downtime.
A comprehensive Critical Patch is expected for release in mid-August 2025, which will restore full Remote Install Agent functionality while maintaining security protections.
Security experts strongly recommend immediate application of the emergency fix tool, particularly for organizations with internet-facing management consoles, and implementing additional network segmentation and access controls as defense-in-depth measures.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
