CVE-2025-71210
published 2026-05-21CVE-2025-71210: A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.81%
88.7th percentile
A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations.
Please note: although this vulnerability carries a technical critical CVSS rating, this was reported via responsible disclosure via a researcher through the Zero Day Initiative. The SaaS versions of the product have already been mitigated and no customer action required.
For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console�s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro_inc | trendai_apex_one | >= 2019 (14.0) < 14.0.0.14136 | 14.0.0.14136 |
| trend_micro_inc | trendai_apex_one_as_a_service | >= SaaS < 14.0.20315 | 14.0.20315 |
| trendmicro | apex_one | < 14.0.0.14136 | 14.0.0.14136 |
| trendmicro | apex_one | < 14.0.20315 | 14.0.20315 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-71210 is a path traversal vulnerability in the Trend Micro Apex One management console allowing unauthenticated remote code execution via malicious file upload. ↗
- →A second related path traversal vulnerability (CVE-2025-71211) affects a different executable in the same Apex One management console — consider detecting path traversal patterns across all Apex One console executables. ↗
- →Prioritize patching to Critical Patch Build 14136 for on-premises Apex One deployments; SaaS versions are already mitigated. ↗
- →Monitor for unexpected file uploads to the Apex One management console, especially from external or untrusted IP addresses, as exploitation requires console access. ↗
- ·SaaS deployments of Apex One are already patched and require no customer action; only on-premises deployments need to apply Critical Patch Build 14136. ↗
- ·No in-the-wild exploitation of CVE-2025-71210 has been confirmed at time of disclosure; it was reported via responsible disclosure through the Zero Day Initiative. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vhc8-fg3x-3rvc: A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected
ghsa_unreviewed·2026-05-21
CVE-2025-71210 [CRITICAL] CWE-22 GHSA-vhc8-fg3x-3rvc: A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected
A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations.
Please note: although this vulnerability carries a technical critical CVSS rating, this was reported via responsible disclosure via a researcher through the Zero Day Initiative. The SaaS versions of the product have already been mitigated and no customer action required.
For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console�s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied.
GHSA
GHSA-qvww-2vwg-9rp6: A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected
ghsa_unreviewed·2026-05-21·CVSS 9.8
CVE-2025-71211 [CRITICAL] CWE-22 GHSA-qvww-2vwg-9rp6: A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected
A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is similar in scope to CVE-2025-71210 but affects a different executable.
Please note: although this vulnerability carries a technical critical CVSS rating, this was reported via responsible disclosure via a researcher through the Zero Day Initiative. The SaaS versions of the product have already been mitigated and no customer action required.
For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console�s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied.
No detection rules found.
No public exploits indexed.
2026-05-21
Published