CVE-2025-54987, CVE-2025-54948: Trend Micro Apex One Command Injection Zero-Days Exploited In The Wild

Trend Micro releases a temporary mitigation tool to reduce exposure to two unpatched zero-day command injection vulnerabilities which have been exploited.

Background

On August 5, Trend Micro released a security advisory for two critical flaws affecting on-prem versions of Apex One Management Console. According to the advisory, Trend Micro has observed active exploitation of the vulnerabilities.

According to Trend Micro, these two CVEs are the same, however CVE-2025-54987 was issued for a different CPU architecture.

Analysis

CVE-2025-54987 and CVE-2025-54948 are both command injection vulnerabilities affecting the management console of on-prem installations of Trend Micro Apex One. An unauthenticated attacker with network or physical access to a vulnerable machine can upload arbitrary files, allowing the attacker to execute commands and achieve code execution. While two CVEs were issued, the advisory notes that CVE-2025-54987 was issued for a different CPU architecture than CVE-2025-54948.

Trend Micro Apex One™ as a Service and Trend Vision One Endpoint Security - Standard Endpoint Protection have been mitigated to these vulnerabilities as of July 31 and are not impacted by them. At this time, only on-prem installations of Apex One are affected.

Historical exploitation of Apex One

Apex One has been targeted by threat actors in the past, including zero-day exploitation of flaws affecting on-prem installations. CVE-2020-8467 and CVE-2020-8468 were addressed in March 2020 after in the wild exploitation was discovered, followed by CVE-2022-40139 in September 2022. As of the time this blog was published on August 6, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) lists nine vulnerabilities in Apex One in its Catalog of Known Exploited Vulnerabilities (KEV).

Vendor response

As of the time this blog was published on August 6, Trend Micro’s security advisory for these vulnerabilities notes that a patch has not yet been released and is to be expected “around the middle of August 2025.” We will update the blog with further updates and solution steps once patches are released.

In the meantime, a short-term mitigation tool has been released. This tool can be used to protect against known exploits and disables “the ability for administrators to utilize the Remote Install Agent function to deploy agents.”

While successful exploitation requires an attacker to either have physical access or network access to the management interface, Trend Micro suggests that customers who have publicly exposed the management console's IP address also consider additional mitigation factors to restrict access to the management console.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2025-54987 and CVE-2025-54948 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

• Trend Micro Security Advisory: ITW CRITICAL SECURITY BULLETIN: Trend Micro Apex One™ (On-Premise) Management Console Command Injection RCE Vulnerabilities

Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.