CVE-2025-69258
published 2026-01-08CVE-2025-69258: A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.22%
86.6th percentile
A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supplied code under the context of SYSTEM on affected installations.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro_inc | trend_micro_apex_central | >= 2019 (14.0) < Build 7190 | Build 7190 |
| trendmicro | apex_central | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandpython3 tm_apex_central_MsgReceiver_msg_1b5b_unchecked_null_retval_dos.py -t <target> -p 20001↗
bytes↗
MsgId: 0x1b5b (SC_CMD_CGI_LOG_REQUEST) with two zero bytes indicating 'new protocol', missing \r\n in data payload
- →Monitor for inbound TCP connections to port 20001 on Trend Micro Apex Central hosts, especially from external/untrusted sources; this is the attack surface for CVE-2025-69258. ↗
- →Detect message 0x0a8d (SC_INSTALL_HANDLER_REQUEST) sent to TCP/20001 from unauthenticated sources; the handler field contains the attacker-supplied DLL path. ↗
- →Detect MsgReceiver.exe crashes or access violations (code c0000005) as an indicator of CVE-2025-69259 or CVE-2025-69260 DoS exploitation attempts against TCP/20001. ↗
- →Look for outbound SMB/CIFS connections originating from MsgReceiver.exe to external hosts, which would indicate exploitation of the LoadLibraryEx UNC path DLL injection. ↗
- ·The exploit requires the attacker to host an unauthenticated SMB/SAMBA share serving the malicious DLL; network egress controls blocking outbound SMB (TCP/445) from Apex Central servers can mitigate the RCE vector. ↗
- ·The fix is Critical Patch Build 7190; systems not yet patched remain fully exposed to unauthenticated RCE via TCP/20001. ↗
- ·The vulnerability requires no authentication and no user interaction (CVSS AV:N/AC:L/PR:N/UI:N), meaning any network-reachable Apex Central instance is at risk without additional access controls on port 20001. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Trend Micro warns of critical Apex Central RCE vulnerability
blogs_bleepingcomputer·2026-01-09·CVSS 9.8
[CRITICAL] Trend Micro warns of critical Apex Central RCE vulnerability
## Trend Micro warns of critical Apex Central RCE vulnerability
## Sergiu Gatlan
Japanese cybersecurity software firm Trend Micro has patched a critical security flaw in Apex Central (on-premise) that could allow attackers to execute arbitrary code with SYSTEM privileges.
Apex Central is a web-based management console that helps admins manage multiple Trend Micro products and services (including antivirus, content security, and threat detection) and deploy components like antivirus pattern files, scan engines, and antispam rules from a single interface.
Tracked as CVE-2025-69258 , the vulnerability enables threat actors without privileges on the targeted system to gain remote code execution by injecting malicious DLLs in low-complexity attacks that don't require user interaction.
"A L
Tenable
Trend Micro Apex Central Multiple Vulnerabilities
blogs_tenable·2026-01-07
Trend Micro Apex Central Multiple Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Wiz
CVE-2025-69258 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69258 [MEDIUM] CVE-2025-69258 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69258 :
Apex Central vulnerability analysis and mitigation
A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supplied code under the context of SYSTEM on affected installations.
Source : NVD
## 9.8
Score
Published January 8, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Apex Central
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 70.3
Exploitation Probability (EPSS) 0.6
Affected packages and libraries
cpe:2.3:a:trendmicro:apex_central
Sources
Windows Severity CRITICAL No Fix Added at: Jan 18, 2026
Windows Sever
Wiz
CVE-2025-69259 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69259 [MEDIUM] CVE-2025-69259 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69259 :
Apex Central vulnerability analysis and mitigation
A message unchecked NULL return value vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations.
Please note: authentication is not required in order to exploit this vulnerability..
Source : NVD
## 7.5
Score
Published January 8, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Apex Central
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 70
Exploitation Probability (EPSS) 0.6
Affected packages and libraries
cpe:2.3:a:trendmicro:apex_central
Sources
Windows Severity HIGH No Fix Added at: Jan 18, 2026
Windows Severity HIGH No
Wiz
CVE-2025-69260 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69260 [MEDIUM] CVE-2025-69260 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69260 :
Apex Central vulnerability analysis and mitigation
A message out-of-bounds read vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations.
Please note: authentication is not required in order to exploit this vulnerability.
Source : NVD
## 7.5
Score
Published January 8, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Apex Central
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 67.3
Exploitation Probability (EPSS) 0.5
Affected packages and libraries
cpe:2.3:a:trendmicro:apex_central
Sources
Windows Severity HIGH No Fix Added at: Jan 18, 2026
Windows Severity HIGH No Fix Adde
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2026-01-08
Published