What is Trend Micro Apex One?
Trend Micro Apex One is an enterprise endpoint security platform (EDR/EPP) deployed on-premises by organizations to protect workstations and servers from malware, ransomware, and other threats. The Apex One Management Server is a centralized web console used by security administrators to manage policies, deploy agents, and monitor endpoint security across the enterprise. Because the Management Server is trusted by all managed endpoints and typically has visibility into the entire endpoint estate, compromising it gives an attacker a privileged position in the security infrastructure — potentially the ability to disable protection, exfiltrate security telemetry, or pivot to any managed endpoint.
Overview
CVE-2025-54948 is a critical OS command injection vulnerability (CWE-78) in the Trend Micro Apex One Management Console web interface. An unauthenticated remote attacker can send a specially crafted HTTP request to the Management Console — accessible on ports 8080 and 4343 — to inject and execute arbitrary OS commands on the server. Trend Micro confirmed at least one in-the-wild exploitation attempt before disclosure. This vulnerability was disclosed alongside companion zero-day CVE-2025-54987 (a second command injection path in the same product). CISA added it to the KEV catalog 13 days after the patch.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Apex One (on-premise) 2019, Management Server | Build 14039 and below | SP1 Critical Patch Build 14081 |
Note: Apex One as a Service (cloud-hosted) is not affected. Only on-premises Management Server installations require patching.
Technical Details
The vulnerability (CWE-78: OS Command Injection) is in the Apex One Management Console's HTTP request handling. User-supplied input is passed to OS command invocations without adequate sanitization. The vulnerable components are accessible on TCP ports 8080 and 4343 (the default Management Console ports).
An unauthenticated attacker crafts an HTTP request containing shell metacharacters or command injection sequences. The Management Console processes the request and passes the unsanitized input to an OS-level command, executing the attacker's payload with the privileges of the Management Server process (typically running with elevated system access). This vulnerability does not require an existing session, authentication credentials, or any prior knowledge of the environment.
The companion vulnerability CVE-2025-54987 represents a second independent command injection path in the same product and was disclosed simultaneously — indicating a broader lack of input sanitization across the Management Console.
Prior to the full SP1 patch, Trend Micro released a temporary mitigation tool that disables the Remote Install Agent function (the function associated with the vulnerable code path), providing an interim workaround for organizations unable to patch immediately.
Discovery
Discovered by Trend Micro's Incident Response (IR) Team and Jacky Hsieh of CoreCloud Tech working through the Trend Micro Zero Day Initiative. The IR team's discovery during active incident response indicates the vulnerability was identified while responding to a real-world attack.
Exploitation Context
Trend Micro confirmed at least one in-the-wild exploitation attempt before the August 5, 2025 advisory. The discovery through active IR engagement suggests targeted exploitation rather than opportunistic scanning. CISA added CVE-2025-54948 to the KEV catalog on 18 August 2025 with a 21-day federal remediation deadline. No specific threat actor group has been publicly attributed.
Remediation
- Apply SP1 Critical Patch Build 14081 immediately — download from the Trend Micro Download Center and follow the upgrade guide. Verify the build number in the Management Console.
- As a temporary mitigation (before patching): apply Trend Micro's Remote Install Agent disable tool to reduce the attack surface.
- Restrict Management Console access — ports 8080 and 4343 should never be internet-accessible. Apply firewall rules to limit access to trusted administrative IP ranges only.
- Check for indicators of compromise: review Apex One Management Console logs for unexpected HTTP requests to unusual endpoints, particularly from external IP addresses before August 5, 2025.
- Audit managed endpoint agent configurations — if the Management Server was compromised, policies pushed to agents may have been modified to disable protection. Verify all endpoint policies are intact.
- Apply the co-disclosed patch for CVE-2025-54987 — the same SP1 Critical Patch Build 14081 addresses both vulnerabilities.
See Also
This CVE is part of a sustained pattern of Trend Micro Apex One management console vulnerabilities in CISA KEV spanning 2019–2026. See Attacking the Defenders: The Persistent Pattern of AV and EDR Products in CISA KEV for analysis of 18 KEV entries across Microsoft Defender, Trend Micro Apex One, McAfee, and Sophos.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-54948 |
| Vendor / Product | Trend Micro — Apex One |
| NVD Published | 2025-08-05 |
| NVD Last Modified | 2025-10-31 |
| CVSS 3.1 Score | 9.4 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H |
| Severity | CRITICAL |
| CWE | CWE-78 find similar ↗ |
| CISA KEV Added | 2025-08-18 |
| CISA KEV Deadline | 2025-09-08 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-08-05 | Trend Micro publishes advisory and emergency patch (SP1 Critical Patch Build 14081); CVE published |
| 2025-08-18 | CISA adds to Known Exploited Vulnerabilities catalog |
| 2025-09-08 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Trend Micro Solution KA-0020652 | Vendor Advisory |
| NVD — CVE-2025-54948 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Tenable — Trend Micro Apex One Zero-Days CVE-2025-54948 / CVE-2025-54987 | Security Research |
| Arctic Wolf — Apex One Zero-Day Analysis | Security Research |