Trend Micro Apex One Vulnerability Puts Servers at Risk

Image credit: Photo by Rebecca Wang / CC BY 4.0

Security teams should note CISA has dropped CVE-2025-54948 into their Known Exploited Vulnerabilities catalog, and hackers already love this one. Now we’re dealing with a CVSS of like 9.4 in Trend Micro’s Apex One – this bug lets attackers execute OS commands without needing to authenticate first. Imagine if someone gets to your management console on ports 8080 or 4343; they basically have the server running as IUSR.

The technical side, well, it’s pretty ugly: backend lacks input validation, enabling these nasty payloads to hit system-level execution sprees. And yep, this mess includes on-premise Management Console versions up to 20216 and Server version 14039 and lower. There’s another bug, CVE-2025-54987, targeting different CPU setups –- giving attackers more than one way to strike.

When it comes to fixing, Trend Micro doesn’t have a real solution yet, just some stop-gap tool that mucks up Remote Install Agent functions. The tool does work, but installing stuff might be a chore with UNC paths until a true patch arrives. By the way, if you’re on cloud versions of Apex One, as of July 31, you’re mostly safe, but those on-prem folks, well, they’re tied to this temporary fix for now.

Warning: got Apex One management consoles lying around exposed? Get that fix tool going pronto and switch off network access to those management IPs. It’s worth mentioning that federal agencies have their BOD 22-01 changes to worry about, but really, every organization should see this as a top priority. Since CISA has placed it into KEV, exploit attempts are nonstop and spreading fast.