Trend Micro's zero-day vulnerability is being actively exploited in the wild.

Two vulnerabilities, Command Injection and Remote Code Execution (RCE), have just been discovered in the Management Console of Trend Micro Apex One security software. According to security researchers, these vulnerabilities have been actively exploited by organized hacker groups in the real world.

Vulnerability Information

Trend Micro Apex One is security software for businesses that protects computers and servers from viruses, malware, and cyberattacks. This solution is deployed by many organizations to monitor and manage security centrally through the Management Console—a dashboard that allows administrators to control the entire system. Recently, this console was found to have a critical vulnerability that hackers could exploit to gain remote control without needing to log in.

The two vulnerabilities are identified as CVE‑2025‑54948 and CVE‑2025‑54987, with details as follows:

• Vulnerability ID: CVE-2025-54948

• CVSS Score (3.1): 9.4

• Severity Level: Critical

• Description: A vulnerability in the on-premise installation of Trend Micro Apex One's Management Console allows remote attackers, without needing login credentials (pre-authenticated), to upload malware and execute commands on the affected system.

• Vulnerability ID: CVE-2025-54987

• CVSS Score (3.1): 9.4

• Severity Level: Critical

• Description: Essentially similar to CVE‑2025‑54948, but targets a different CPU architecture, expanding the attack scope to more types of systems.

These vulnerabilities affect Trend Micro Apex One Management Server version 14039 and below on the Windows platform.

To exploit them, attackers need access to the Management Console. Therefore, organizations that expose this console's IP to the internet are particularly vulnerable. Notably, the pre-authenticated nature of the vulnerability allows hackers, once they gain initial access, to escalate privileges and execute commands at the system level without any additional authentication steps.

The Trend Micro Incident Response Team reports that both vulnerabilities have been and are actively being exploited by organized hacker groups, highlighting the urgency of applying patches or temporary fixes immediately.

Mitigation & Recommendations

Trend Micro has released an emergency mitigation tool named FixTool_Aug2025.exe (SHA‑256: c945a885a31679a913802a2aefde52b672bb2c8ac98bbed52b723e6733c0eadc) to provide immediate protection against known attack methods. This temporary solution completely blocks current exploitation techniques but will temporarily disable the Remote Install Agent feature used for deploying agents from the Management Console.

Organizations using Trend Micro Apex One as a Service or Trend Vision One Endpoint Security have had protections automatically applied from July 31, 2025, through the backend system, without service disruption.

A comprehensive patch (Critical Patch) is expected to be released in mid-August 2025, which will fully restore the Remote Install Agent feature while maintaining a secure protection layer.

Security experts recommend:

1. Immediately apply the Fix Tool for on-premise systems, especially if the Management Console's IP is exposed to the internet.

2. Implement network segmentation and establish access controls to minimize intrusion risks.

3. Restrict access to the Management Console to only internal networks or through a secure VPN.

Tham khảo

1. NVD - CVE-2025-54948

2. NVD - CVE-2025-54987

3. ITW CRITICAL SECURITY BULLETIN: Trend Micro Apex One (On-Premise) Management Console Command Injection RCE Vulnerabilities