Trend Micro Warns of Active Exploitation of Critical Apex One Vulnerabilities

Cybersecurity firm Trend Micro has issued a critical security alert regarding two newly discovered command injection vulnerabilities affecting its Apex One on-premise Management Console.

The flaws, identified as CVE-2025-54948 and CVE-2025-54987, both carry a critical CVSS score of 9.4, and have already seen attempted exploitation in the wild.

The company disclosed that the vulnerabilities allow unauthenticated remote attackers to upload and execute arbitrary commands on affected Windows-based installations.

Trend Micro has confirmed that at least one exploit attempt has been detected, underscoring the urgency of applying the provided mitigations.

The vulnerabilities impact the Trend Micro Apex One (on-premise) 2019 version, specifically Management Server Version 14039 and below.

These vulnerabilities do not affect cloud-based deployments of Apex One or the Trend Vision One™ Endpoint Security platform, which were patched during an out-of-band maintenance on July 31, 2025.

In a statement, Trend Micro said, “These vulnerabilities stem from command injection weaknesses in the Apex One Management Console. Exploitation could lead to full remote code execution before authentication is required.”

To counter the threat, Trend Micro has released a mitigation tool—FixTool_Aug2025.exe—available since August 5, with an updated version published on August 6 to address compatibility issues on non-standard environments.

The company advises that the tool should only be reapplied if the original version failed during installation. The tool disables the Remote Install Agent functionality, which will be restored with an upcoming critical patch expected in mid-August.

What’s Next?

Trend Micro is preparing a formal critical patch that will not only address the security flaws but also restore Remote Install Agent functionality. This patch is expected by mid-August and will be announced via official channels.