cbcvebase.
CVE-2025-69258
published 2026-01-08

CVE-2025-69258: A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.22%
86.6th percentile
A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supplied code under the context of SYSTEM on affected installations.

Affected

2 ranges
VendorProductVersion rangeFixed in
trend_micro_inctrend_micro_apex_central>= 2019 (14.0) < Build 7190Build 7190
trendmicroapex_central

Detection & IOCsextracted from sources · hover to see the quote

processMsgReceiver.exe
portTCP/20001
commandpython3 tm_apex_central_MsgReceiver_msg_1b5b_unchecked_null_retval_dos.py -t <target> -p 20001
filenamemsgHandlerLogReceiver.dll
bytes
MsgId: 0x1b5b (SC_CMD_CGI_LOG_REQUEST) with two zero bytes indicating 'new protocol', missing \r\n in data payload
  • Monitor for inbound TCP connections to port 20001 on Trend Micro Apex Central hosts, especially from external/untrusted sources; this is the attack surface for CVE-2025-69258.
  • Detect message 0x0a8d (SC_INSTALL_HANDLER_REQUEST) sent to TCP/20001 from unauthenticated sources; the handler field contains the attacker-supplied DLL path.
  • Detect MsgReceiver.exe crashes or access violations (code c0000005) as an indicator of CVE-2025-69259 or CVE-2025-69260 DoS exploitation attempts against TCP/20001.
  • Look for outbound SMB/CIFS connections originating from MsgReceiver.exe to external hosts, which would indicate exploitation of the LoadLibraryEx UNC path DLL injection.
  • ·The exploit requires the attacker to host an unauthenticated SMB/SAMBA share serving the malicious DLL; network egress controls blocking outbound SMB (TCP/445) from Apex Central servers can mitigate the RCE vector.
  • ·The fix is Critical Patch Build 7190; systems not yet patched remain fully exposed to unauthenticated RCE via TCP/20001.
  • ·The vulnerability requires no authentication and no user interaction (CVSS AV:N/AC:L/PR:N/UI:N), meaning any network-reachable Apex Central instance is at risk without additional access controls on port 20001.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.