cbcvebase.
CVE-2025-54987
published 2025-08-05

CVE-2025-54987: A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
16.91%
96.7th percentile
A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture.

Affected

1 ranges
VendorProductVersion rangeFixed in
trendmicroapex_one

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability targets the Trend Micro Apex One Management Console (on-premise); monitor for pre-authenticated HTTP requests to the management console that contain command injection payloads, particularly those targeting the Remote Install Agent function endpoint.
  • CVE-2025-54987 is architecturally distinct from CVE-2025-54948 but functionally identical — detection logic for CVE-2025-54948 should be replicated and applied to the alternate CPU architecture targeted by CVE-2025-54987.
  • Alert on any unauthenticated (pre-auth) requests to the Apex One Management Console that attempt file uploads or command execution, as exploitation does not require prior authentication.
  • ·Active exploitation has been confirmed in the wild; at least one exploitation attempt has been observed, meaning this is not purely theoretical and urgency for detection coverage is high.
  • ·A security patch is not yet available as of the advisory date; the patch is expected around mid-August 2025, so detection and mitigation controls are the only current defensive options.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.