Critical Trend Micro Apex One Zero-Day: Remote Code Execution via Management Console (CVE-2025-54948 / 54987)

Overview

Trend Micro has confirmed that two critical command injection vulnerabilities– CVE-2025-54948 and CVE-2025-54987– affect the on-premises Apex One Management Console, enabling remote code execution without authentication.

• Severity: CVSS score 9.4 (Critical)
• Exploitation: At least one in-the-wild attempt has been observed by Trend Micro

These vulnerabilities enable attackers to upload malicious code and execute system commands directly through the management interface.

Affected Versions & Scope

• Product: Trend Micro Apex One (on-premise), Management Server Version 14039 and earlier.
• The two CVEs are essentially identical; CVE-2025-54987 targets a different CPU architecture.
• Cloud-hosted services (Apex One as a Service, Trend Vision One) have received fixes earlier (by July 31) and are not affected.

Mitigation Steps

• Temporary Fix Tool: Trend Micro released an emergency mitigation tool that blocks exploitation. It does, however, disable the Remote Install Agent feature in the management console.
• Limit Console Exposure: Organizations should restrict access to the Apex One console– especially of it has an externally exposed IP– using IP-based restrictions or isolating access.
• Expected Patch: A formal patch is expected mid-August 2025, restoring full functionality including Remote Install Agent.

ThreatGrid Takeaways

1. Implement the mitigation tool immediately–protection must precede the patch.
2. Avoid exposing the management console to the public internet; restrict access to trusted sources only.
3. Plan patch deployment carefully to minimize operational disruption once official updates are available.
4. Monitor logs and network traffic for signs of anomalous activity, especially around console endpoints.