Trend Micro Apex One Hit by Actively Exploited RCE Vulnerability

Trend Micro has issued an urgent security bulletin warning customers of critical remote code execution vulnerabilities in its Apex One on-premise management console that are being actively exploited by attackers in the wild.

The cybersecurity company disclosed two command injection flaws on August 5, 2025, both carrying a maximum CVSS score of 9.4, indicating the severity of the threat to enterprise networks worldwide.

Critical Vulnerabilities Under Active Attack

The security flaws, tracked as CVE-2025-54948 and CVE-2025-54987, affect the Trend Micro Apex One Management Console running on Windows systems.

Both vulnerabilities stem from command injection weaknesses that allow pre-authenticated remote attackers to upload malicious code and execute arbitrary commands on affected installations.

The company confirmed that at least one instance of active exploitation has been observed, elevating the urgency for immediate protective measures.

These vulnerabilities specifically target Trend Micro Apex One 2019 Management Server Version 14039 and below.

The second CVE essentially represents the same vulnerability but targets a different CPU architecture, expanding the potential attack surface for malicious actors seeking to compromise enterprise security infrastructure.

Recognizing the critical nature of these flaws, Trend Micro has released an emergency mitigation tool called “FixTool_Aug2025” to provide immediate protection against known exploits.

However, this short-term solution comes with a significant operational trade-off – it disables the Remote Install Agent function, preventing administrators from deploying agents directly from the management console.

Alternative deployment methods such as UNC path or agent packages remain unaffected.

The company emphasized that while the fix tool provides full protection against known exploits, a comprehensive Critical Patch is expected around mid-August 2025.

This formal update will restore the disabled Remote Install Agent functionality while maintaining security protections.

Organizations using Trend Micro Apex One as a Service and Trend Vision One Endpoint Security received automatic protection through backend mitigations deployed on July 31, 2025, without service downtime.

However, on-premise installations remain vulnerable until the mitigation tool is applied.

The vulnerabilities require attackers to have access to the management console, making organizations with externally exposed console IP addresses particularly vulnerable.

Trend Micro strongly advises reviewing remote access policies and implementing source restrictions where possible.

The discovery involved collaboration between Trend Micro’s Incident Response Team and external security researcher Jacky Hsieh from CoreCloud Tech, working through the Trend Zero Day Initiative.

Organizations are urged to apply the mitigation tool immediately while awaiting the comprehensive patch release.

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free