CVE-2025-54987
published 2025-08-05CVE-2025-54987: A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
16.91%
96.7th percentile
A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trendmicro | apex_one | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability targets the Trend Micro Apex One Management Console (on-premise); monitor for pre-authenticated HTTP requests to the management console that contain command injection payloads, particularly those targeting the Remote Install Agent function endpoint. ↗
- →CVE-2025-54987 is architecturally distinct from CVE-2025-54948 but functionally identical — detection logic for CVE-2025-54948 should be replicated and applied to the alternate CPU architecture targeted by CVE-2025-54987. ↗
- →Alert on any unauthenticated (pre-auth) requests to the Apex One Management Console that attempt file uploads or command execution, as exploitation does not require prior authentication. ↗
- ·Active exploitation has been confirmed in the wild; at least one exploitation attempt has been observed, meaning this is not purely theoretical and urgency for detection coverage is high. ↗
- ·A security patch is not yet available as of the advisory date; the patch is expected around mid-August 2025, so detection and mitigation controls are the only current defensive options. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8q59-7jj3-fj58: A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and e
ghsa_unreviewed·2025-08-05·CVSS 9.4
CVE-2025-54987 [CRITICAL] CWE-78 GHSA-8q59-7jj3-fj58: A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and e
A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture.
VulnCheck
Trend Micro Apex One and Apex One as a Service Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2025·CVSS 9.4
CVE-2025-54987 [CRITICAL] Trend Micro Apex One and Apex One as a Service Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Trend Micro Apex One and Apex One as a Service Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture.
Affected: Trend Micro Apex One and Apex One as a Service
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://success.trendmicro.com/en-US/solution/KA-0020652; https://www.jpcert.or.jp/english/at/2025/at250016.html; https://re
No detection rules found.
No public exploits indexed.
Wiz
Crying Out Cloud Newsletter - September 2025 | Wiz
blogs_wiz·2025-09-07·CVSS 8.1
[HIGH] Crying Out Cloud Newsletter - September 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security - noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
## 🔍 Highlights
s1ngularity: Supply Chain Attack Leaks Secrets on GitHub
On August 26, 2025, multiple malicious versions of the widely used Nx build system package were published to the npm registry. These versions contained a post-installation malware script designed to harvest sensitive developer assets, including cryptocurrency wallets, GitHub and npm tokens, SSH keys, and more. The malware leveraged AI command-line tools (including Claude, Gemini, and Q) to aid in their reconnaissance efforts, and then exfiltrated the stolen data to publicly accessible attacker-created repositories within victims’ GitHub accounts.
Learn more in
Checkpoint
11th August – Threat Intelligence Report
blogs_checkpoint·2025-08-11
CVE-2025-54136 11th August – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th August – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th August, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Air France has experienced a data breach that resulted in unauthorized access to customer data through a compromised external customer service platform. The attack exposed personal information, including names, email addresses, phone numbers, frequent flyer program details, and recent transactions, but did not affect custom
Tenable
CVE-2025-54987, CVE-2025-54948: Trend Micro Apex One Command Injection Zero-Days Exploited In The Wild
blogs_tenable·2025-08-06·CVSS 9.4
[CRITICAL] CVE-2025-54987, CVE-2025-54948: Trend Micro Apex One Command Injection Zero-Days Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Trend Micro warns of Apex One zero-day exploited in attacks
blogs_bleepingcomputer·2025-08-06·CVSS 9.4
CVE-2025-54948 [CRITICAL] Trend Micro warns of Apex One zero-day exploited in attacks
## Trend Micro warns of Apex One zero-day exploited in attacks
## Sergiu Gatlan
Trend Micro has warned customers to immediately secure their systems against an actively exploited remote code execution vulnerability in its Apex One endpoint security platform.
Apex One is an endpoint security platform designed to automatically detect and respond to threats, including malicious tools, malware, and vulnerabilities.
This critical security flaw (tracked as CVE-2025-54948 and CVE-2025-54987 depending on the CPU architecture) is due to a command injection weakness in the Apex One Management Console (on-premise) that enables pre-authenticated attackers to execute arbitrary code remotely on systems running unpatched software.
Trend Micro has yet to issue security updates to patch this actively
2025-08-05
Published
Exploited in the wild