Trend Micro Apex One Critical Vulnerabilities

---

Overview

In early August 2025, Trend Micro issued an urgent security bulletin disclosing two actively exploited critical vulnerabilities in its Apex One and Apex One as a Service (on-prem) endpoint protection platforms. These vulnerabilities could allow unauthenticated remote code execution (RCE) via the Management Console, posing significant security and operational risk to enterprise environments using the on-premise version of Apex One.

Vulnerability Details

1. CVE-2025-54948

• Type: Command Injection Vulnerability
• CVSS v3.1 Score: 9.4 (Critical)
• Affected Component: Remote Install Agent within Apex One Management Console
• Impact: Allows unauthenticated attackers to execute arbitrary OS commands remotely.
• Exploit Status: Confirmed in the wild – active exploitation observed.
• Architecture Affected: x86/x64 (standard server environments)

2. CVE-2025-54987

• Type: Command Injection (similar vector as above, different architecture)
• CVSS v3.1 Score: 9.4 (Critical)
• Architecture Affected: ARM-based systems
• Impact & Exploit: Same as CVE-2025-54948; actively being exploited in the wild.

Root Cause and Attack Vector

These vulnerabilities stem from insufficient input sanitization in the Remote Install Agent interface of the Apex One Management Console. Specifically:

• Attackers can send specially crafted HTTP requests to bypass authentication and inject system commands.
• Since the interface is commonly exposed on internal networks (and occasionally externally), this creates a viable entry point for initial access or lateral movement in targeted attacks.

Affected Versions

Affected Versions Apex One (on-premise) 2019 versions, including builds ≤ 14.0.39Apex One as a Service On-premise service components only (not cloud-managed)

Trend Micro SaaS-managed customers are not impacted, as the cloud console has architectural safeguards in place.

Exploitation in the Wild

• Multiple security researchers and threat intelligence platforms (e.g., The Hacker News, BleepingComputer) have reported active scanning and exploitation campaigns targeting unpatched systems.
• Attackers are believed to be using these flaws for initial footholds, followed by payload delivery (e.g., Cobalt Strike) or privilege escalation within enterprise environments.

Mitigation and Fix Status

Temporary Fix – FixTool_Aug2025

• Released: August 6, 2025
• Purpose: Disables the vulnerable “Remote Install Agent” feature on the console.
• Effect: Does not affect agent deployment through other methods (e.g., UNC paths, package installers).
• Recommended for Immediate Deployment to mitigate live exploitation.

Full Patch Release

• ETA: Mid-August 2025 (under QA testing)
• Restores Remote Install Agent functionality with secure code fixes
• Will be part of a broader Critical Patch release for Apex One SP1 and related builds

Additional Recommendations

1. Restrict Network Access
   • Limit console access to trusted IP ranges or internal subnets
   • Disable external console exposure immediately if present.
2. Network Segmentation
   • Isolate management servers from general user networks.
   • Block unnecessary inbound traffic using firewall rules.
3. Monitor for IOCs
   • Look for signs of command injection, unusual traffic to the management console, or use of admin credentials outside expected hours.
   • Integrate with EDR/XDR platforms for deeper telemetry.
4. Patch Management
   • Ensure Apex One is updated immediately upon patch release
   • Maintain full patch visibility across hybrid or offline deployments