· Vulnerability  · 2 min read

Trend Micro Apex One Flaws Actively Exploited

Trend Micro has confirmed that critical vulnerabilities in its on-premise Apex One security solution are being actively exploited in the wild. The flaws, tracked as CVE-2025-54948 and CVE-2025-54987, both carry a severe 9.4 CVSS score and can lead to remote code execution (RCE). While Trend Micro has patched its cloud offering, on-premise customers must apply a temporary fix tool immediately to protect against these threats, with a full patch expected in mid-August 2025. System administrators are urged to apply the fix and review remote access policies.

Trend Micro has rolled out mitigations for critical security flaws in its on-premise Apex One Management Console, confirming that attackers are actively exploiting them in the wild.

Tracked as CVE-2025-54948 and CVE-2025-54987, both vulnerabilities carry a critical CVSS score of 9.4 and are described as command injection and remote code execution (RCE) flaws in the management console.

In a security advisory, the company warned of the potential impact:

“A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.”

While both vulnerabilities are fundamentally similar, they are tracked separately because CVE-2025-54987 specifically targets a different CPU architecture. Credit for reporting the flaws was given to the Trend Micro Incident Response (IR) Team and Jacky Hsieh at CoreCloud Tech.

Evidence of Active Exploitation

Details about how the flaws are being leveraged in real-world attacks remain scarce. However, Trend Micro confirmed it has “observed at least one instance of an attempt to actively exploit one of these vulnerabilities in the wild.”

Mitigation and Official Patches

For customers using Trend Micro Apex One as a Service, mitigations were automatically deployed on July 31, 2025, requiring no customer action.

However, for on-premise versions, a short-term solution is available now via a fix tool, while a formal patch is scheduled for release in mid-August 2025.

Trend Micro pointed out a key limitation of the temporary fix: while it fully protects against known exploits, it disables the ability for administrators to use the “Remote Install Agent” function. Other agent installation methods, like using a UNC path or agent package, are not affected.

Recommendations for Admins

Trend Micro advises that “exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine.”

The company strongly recommends that in addition to timely application of patches, customers should also review remote access to critical systems and ensure security policies and perimeter defenses are up-to-date.

Newsletter Signup

News Feed

Get the Hottest Cybersecurity News Delivered to You!

Related News

Discover more news articles that might interest you

View All →