CVE-2025-54948
published 2025-08-05CVE-2025-54948: A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-09-08
Exploited in the wild
EPSS
20.25%
97.1th percentile
A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro_inc | trend_micro_apex_one | >= 2019 (14.0) < 14.0.0.14039 | 14.0.0.14039 |
| trendmicro | apex_one | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-54948 (and CVE-2025-54987 for alternate CPU architecture) is an OS command injection in the Trend Micro Apex One Management Console (on-premise). Monitor the Management Console for unexpected pre-authenticated requests that attempt to upload files or invoke command execution, particularly against the Remote Install Agent function endpoint. ↗
- →Trend Micro confirmed at least one active in-the-wild exploitation attempt. Treat any anomalous pre-authenticated activity against the Apex One Management Console as a high-severity incident requiring immediate investigation. ↗
- →CISA KEV remediation deadline is 2025-09-08. Prioritize detection and patching for federal and critical infrastructure environments. The vulnerability class is OS command injection allowing malicious code upload and remote command execution without authentication. ↗
- ·CVE-2025-54948 and CVE-2025-54987 are the same vulnerability tracked under two CVE IDs depending on CPU architecture. Ensure detection and patching coverage addresses both identifiers. ↗
- ·This vulnerability only affects the on-premise version of Apex One; SaaS/cloud-hosted deployments are not impacted by this specific flaw. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.4CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9r9v-427h-5388: A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and e
ghsa_unreviewed·2025-08-05
CVE-2025-54948 [CRITICAL] CWE-78 GHSA-9r9v-427h-5388: A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and e
A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.
GHSA
GHSA-8q59-7jj3-fj58: A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and e
ghsa_unreviewed·2025-08-05·CVSS 9.4
CVE-2025-54987 [CRITICAL] CWE-78 GHSA-8q59-7jj3-fj58: A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and e
A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture.
VulnCheck
Trend Micro Apex One and Apex One as a Service Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2025·CVSS 9.4
CVE-2025-54987 [CRITICAL] Trend Micro Apex One and Apex One as a Service Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Trend Micro Apex One and Apex One as a Service Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture.
Affected: Trend Micro Apex One and Apex One as a Service
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://success.trendmicro.com/en-US/solution/KA-0020652; https://www.jpcert.or.jp/english/at/2025/at250016.html; https://re
VulnCheck
Trend Micro Apex One OS Command Injection Vulnerability
vulncheck·2025·CVSS 9.4
CVE-2025-54948 [CRITICAL] CWE-78 Trend Micro Apex One OS Command Injection Vulnerability
Trend Micro Apex One OS Command Injection Vulnerability
Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.
Affected: Trend Micro Apex One
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://success.trendmicro.com/en-US/solution/KA-0020652; https://www.jpcert.or.jp/english/at/2025/at250016.html; https://research.checkpoint.com/2025/11th-august-threat-intelligence-report/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
CISA
Trend Micro Apex One OS Command Injection Vulnerability
cisa·2025-08-18·CVSS 9.8
CVE-2025-54948 [CRITICAL] CWE-78 Trend Micro Apex One OS Command Injection Vulnerability
Vulnerability: Trend Micro Apex One OS Command Injection Vulnerability
Affected: Trend Micro Apex One
Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://success.trendmicro.com/en-US/solution/KA-0020652 ; N/A ; https://nvd.nist.gov/vuln/detail/CVE-2025-54948
Remediation Due Date: 2025-09-08
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Trend Micro warns of Apex One zero-day exploited in the wild
blogs_bleepingcomputer·2026-05-22·CVSS 6.7
CVE-2026-34926 [MEDIUM] Trend Micro warns of Apex One zero-day exploited in the wild
## Trend Micro warns of Apex One zero-day exploited in the wild
## Sergiu Gatlan
Japanese cybersecurity software company Trend Micro has addressed an Apex One zero-day vulnerability exploited in attacks targeting Windows systems.
Apex One is Trend Micro's enterprise-grade endpoint security platform that protects corporate networks from a wide range of security threats, including malware, ransomware, fileless attacks, and web-based threats.
Tracked as CVE-2026-34926 , this directory traversal vulnerability in the Apex One (on-premises) server allows local attackers with admin privileges to inject malicious code.
"A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious
Bleepingcomputer
Trend Micro warns of critical Apex One code execution flaws
blogs_bleepingcomputer·2026-02-26·CVSS 9.4
CVE-2025-7121 [CRITICAL] Trend Micro warns of critical Apex One code execution flaws
## Trend Micro warns of critical Apex One code execution flaws
## Sergiu Gatlan
Japanese cybersecurity software firm Trend Micro has patched two critical Apex One vulnerabilities that allow attackers to gain remote code execution (RCE) on vulnerable Windows systems.
Apex One is an endpoint security platform that detects and responds to security threats, including malware, spyware, malicious tools, and vulnerabilities.
The first critical Apex One security flaw patched this week (CVE-2025-71210) is due to a path traversal weakness in the Trend Micro Apex One management console, allowing attackers without privileges to execute malicious code on unpatched systems.
The second, tracked as CVE-2025-71211, is another Apex One management console path traversal vulnerability, similar in scope t
Wiz
Crying Out Cloud Newsletter - September 2025 | Wiz
blogs_wiz·2025-09-07·CVSS 8.1
[HIGH] Crying Out Cloud Newsletter - September 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security - noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
## 🔍 Highlights
s1ngularity: Supply Chain Attack Leaks Secrets on GitHub
On August 26, 2025, multiple malicious versions of the widely used Nx build system package were published to the npm registry. These versions contained a post-installation malware script designed to harvest sensitive developer assets, including cryptocurrency wallets, GitHub and npm tokens, SSH keys, and more. The malware leveraged AI command-line tools (including Claude, Gemini, and Q) to aid in their reconnaissance efforts, and then exfiltrated the stolen data to publicly accessible attacker-created repositories within victims’ GitHub accounts.
Learn more in
Checkpoint
11th August – Threat Intelligence Report
blogs_checkpoint·2025-08-11
CVE-2025-54136 11th August – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th August – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th August, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Air France has experienced a data breach that resulted in unauthorized access to customer data through a compromised external customer service platform. The attack exposed personal information, including names, email addresses, phone numbers, frequent flyer program details, and recent transactions, but did not affect custom
Tenable
CVE-2025-54987, CVE-2025-54948: Trend Micro Apex One Command Injection Zero-Days Exploited In The Wild
blogs_tenable·2025-08-06·CVSS 9.4
[CRITICAL] CVE-2025-54987, CVE-2025-54948: Trend Micro Apex One Command Injection Zero-Days Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Trend Micro warns of Apex One zero-day exploited in attacks
blogs_bleepingcomputer·2025-08-06·CVSS 9.4
CVE-2025-54948 [CRITICAL] Trend Micro warns of Apex One zero-day exploited in attacks
## Trend Micro warns of Apex One zero-day exploited in attacks
## Sergiu Gatlan
Trend Micro has warned customers to immediately secure their systems against an actively exploited remote code execution vulnerability in its Apex One endpoint security platform.
Apex One is an endpoint security platform designed to automatically detect and respond to threats, including malicious tools, malware, and vulnerabilities.
This critical security flaw (tracked as CVE-2025-54948 and CVE-2025-54987 depending on the CPU architecture) is due to a command injection weakness in the Apex One Management Console (on-premise) that enables pre-authenticated attackers to execute arbitrary code remotely on systems running unpatched software.
Trend Micro has yet to issue security updates to patch this actively
Recorded Future
August 2025 CVE Landscape
blogs_recorded_future·CVSS 8.8
[HIGH] August 2025 CVE Landscape
# August 2025 CVE Landscape
In August 2025, Recorded Future’s Insikt Group® identified eighteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the 22 identified in July.
However, the number of Very Critical vulnerabilities has remained the same (16) compared to July. These vulnerabilities have affected the following vendors: Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August was dominated by Citrix and D-Link flaws, which represented six of the eighteen vulnerabilities. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Recorded Future Insikt Group’s CVE Findings fro
2025-08-05
Published
2025-08-18
Added to CISA KEV
Exploited in the wild