Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-54948 & CVE-2025-54987: Trend Micro Apex One Exploited for RCE
Aug 07, 2025
4 Mins Read
Moon

CVE-2025-54948 & CVE-2025-54987: Trend Micro Apex One Exploited for RCE

Trend Micro has recently disclosed two critical vulnerabilities, CVE-2025-54948 and CVE-2025-54987, affecting its Apex One on-premise platform. These security flaws could allow unauthenticated attackers to execute remote code on unpatched systems.

Notably, the company confirmed it has already observed at least one attempt to exploit these vulnerabilities in the wild.

So, what are the implications for organizations relying on this widely deployed endpoint protection platform? Let’s unpack the details.

Quick Details on CVE-2025-54948 and CVE-2025-54987

These two CVEs represent unauthenticated command injection vulnerabilities found in the Trend Micro Apex One Management Console (on-premise). Both vulnerabilities carry a CVSS score of 9.4, marking them as critical. While technically similar, each vulnerability targets a different CPU architecture.

Here’s what makes them dangerous:

  • CVE-2025-54948 and CVE-2025-54987 allow remote attackers to upload malicious code and execute system-level commands, without needing to log in.
CVE-2025-54948 (SOCRadar Vulnerability Intelligence) 

CVE-2025-54948 (SOCRadar Vulnerability Intelligence)

CVE-2025-54987 (SOCRadar Vulnerability Intelligence)

CVE-2025-54987 (SOCRadar Vulnerability Intelligence)

  • The affected component listens by default on TCP ports 8080 and 4343, making it susceptible if exposed externally.
  • The flaw stems from improper input validation, specifically a user-supplied string that is unsafely passed to a system call.

This type of vulnerability, categorized under CWE-78: OS Command Injection, enables execution of arbitrary commands under the privileges of the IUSR account.

What Systems Are at Risk?

The impacted products and configurations include:

  • Trend Micro Apex One (on-premise) version 2019, specifically Management Server Version 14039 and below.

It is important to note that although Apex One as a Service and Trend Vision One™ Endpoint Security were affected by the same underlying vulnerabilities, Trend Micro implemented mitigations for these SaaS-based platforms in an out-of-band update on July 31, 2025.

Active Exploitation Confirmed for Apex One Vulnerabilities

Trend Micro confirmed that attackers have already attempted to exploit one of these vulnerabilities in the wild.

Trend Micro warns of exploitation attempts targeting CVE-2025-54948 and CVE-2025-54987.

Trend Micro warns of exploitation attempts targeting CVE-2025-54948 and CVE-2025-54987.

Though full exploitation may require network access to the vulnerable console, this does not reduce the urgency. Systems with externally exposed management consoles are especially at risk.

Security teams looking to stay ahead of similar critical exposures can benefit from using threat intelligence and attack surface visibility tools. Platforms like SOCRadar offer integrated solutions, such as Cyber Threat Intelligence (CTI) for real-time vulnerability intelligence, and Attack Surface Management (ASM) to identify exposed assets and reduce your external risk footprint.

Track hacker trends & get alerts for actively exploited CVEs (SOCRadar Vulnerability Intelligence)

Track hacker trends & get alerts for actively exploited CVEs (SOCRadar Vulnerability Intelligence)

Proactively discovering vulnerabilities before they are exploited is key to reducing operational impact and response time.

How Can You Mitigate CVE-2025-54948 and CVE-2025-54987?

While a permanent patch is still under development and expected in mid-August 2025, Trend Micro has released an interim fix tool to block exploitation attempts.

Fix Tool Details:

  • Name: FixTool_Aug2025.exe
  • Availability: Released August 6, 2025 (updated due to earlier issues on non-standard setups)
  • Note: The fix disables the Remote Install Agent function. However, alternate installation methods such as UNC paths or agent packages remain fully functional.

Admins who successfully implemented the original version released on August 5 do not need to reapply the updated one. A Critical Patch, expected later in August, will not only fully remediate the vulnerability but also restore Remote Install Agent functionality.

Steps You Should Take Right Now

To mitigate risk, organizations using affected versions of Apex One should immediately:

  • Apply the FixTool_Aug2025 to stop potential attacks.
  • Restrict access to the Apex One Management Console, especially from external IPs.
  • Audit firewall rules and remote access policies to ensure no unauthorized access paths exist.
  • Monitor for suspicious activity on TCP ports 8080 and 4343.
  • Prepare to apply the forthcoming Critical Patch as soon as it becomes available.

For full technical details and to download the mitigation tool, refer to the official Trend Micro advisory.

Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | June 2026 Patch Tuesday: 206 Vulnerabilities, Three Zero-Days Including HTTP/2 Bomb Flaw (CVE-2026-49160)
June 2026 Patch Tuesday: 206 Vulnerabilities, Three Zero-Days Including HTTP/2 Bomb Flaw (CVE-2026-49160)
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | SAP Security Patch Day June 2026: Critical CVE-2026-44748 SAML Flaw Could Allow Full Authentication Bypass
SAP Security Patch Day June 2026: Critical CVE-2026-44748 SAML Flaw Could Allow Full Authentication Bypass
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | What Do You Need to Know About Claude Fable 5?
What Do You Need to Know About Claude Fable 5?
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution
CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution
Jun 09, 2026
Free Dark Web Report
Is your Domain Exposed? Find Out.