cbcvebase.
CVE-2025-71211
published 2026-05-21

CVE-2025-71211: A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.75%
88.5th percentile
A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is similar in scope to CVE-2025-71210 but affects a different executable. Please note: although this vulnerability carries a technical critical CVSS rating, this was reported via responsible disclosure via a researcher through the Zero Day Initiative. The SaaS versions of the product have already been mitigated and no customer action required. For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console�s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied.

Affected

2 ranges
VendorProductVersion rangeFixed in
trendmicroapex_one< 14.0.0.1413614.0.0.14136
trendmicroapex_one< 14.0.2031514.0.20315

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-71211 is a path traversal vulnerability in the Trend Micro Apex One management console allowing remote code execution via malicious file upload to a specific executable (distinct from CVE-2025-71210). Detection should focus on anomalous file uploads and path traversal patterns targeting the Apex One management console.
  • Monitor Apex One management console access from external/internet-facing IP addresses; apply source IP restrictions to the console as a compensating control.
  • Patch to Critical Patch Build 14136 for on-premises Apex One deployments; SaaS versions are already mitigated.
  • ·Exploitation requires the attacker to already have access to the Trend Micro Apex One Management Console — this is not an unauthenticated/pre-auth RCE from the open internet without console access.
  • ·No in-the-wild exploitation has been reported for CVE-2025-71211 at time of disclosure; it was reported via responsible disclosure through the Zero Day Initiative.
  • ·SaaS Apex One customers require no action; only on-premises deployments need patching to Build 14136.
  • ·Successful exploitation may require several specific conditions to be met beyond console access alone.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.