Known Exploited Vulnerability
9.8
CRITICAL CVSS 3.1
CVE-2025-54948
Trend Micro Apex One OS Command Injection Vulnerability - [Actively Exploited]
Description

A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.

INFO

Published Date :

Aug. 5, 2025, 1:15 p.m.

Last Modified :

Aug. 19, 2025, 1 a.m.

Remotely Exploit :

Yes !
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes :

https://success.trendmicro.com/en-US/solution/KA-0020652 ; N/A ; https://nvd.nist.gov/vuln/detail/CVE-2025-54948

Affected Products

The following products are affected by CVE-2025-54948 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Trendmicro apex_one
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL [email protected]
CVSS 3.1 CRITICAL [email protected]
Solution
Update Trend Micro Apex One to the latest version to fix the remote code execution vulnerability.
  • Apply the latest security patches and updates from Trend Micro.
  • Ensure the management console is protected and access is restricted.
Public PoC/Exploit Available at Github

CVE-2025-54948 has a 4 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-54948.

URL Resource
https://success.trendmicro.com/en-US/solution/KA-0020652 Patch Vendor Advisory
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-54948 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

None

Updated: 3 weeks ago
0 stars 0 fork 0 watcher
Born at : Aug. 7, 2025, 10:25 a.m. This repo has been linked 2 different CVEs too.

None

Python

Updated: 1 day, 13 hours ago
1 stars 0 fork 0 watcher
Born at : Oct. 29, 2024, 8:10 p.m. This repo has been linked 10 different CVEs too.

CISA Bot is a GitHub bot that automatically monitors the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. When new vulnerabilities are published in the KEV, the bot creates GitHub issues in this repository with detailed information about each vulnerability.

Python

Updated: 1 day, 17 hours ago
2 stars 1 fork 1 watcher
Born at : Oct. 29, 2024, 10:19 a.m. This repo has been linked 205 different CVEs too.

List of real-world threats against endpoint protection software

antivirus security incidents exploits vulnerability endpoint-protection

Updated: 1 week, 3 days ago
216 stars 38 fork 38 watcher
Born at : Nov. 20, 2016, 4:46 p.m. This repo has been linked 10 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-54948 vulnerability anywhere in the article.

  • Daily CyberSecurity
Awe Dropping: Apple Announces September 9 Event, Teasing a Groundbreaking Design

Apple has officially confirmed that it will host its autumn launch event on September 9 at 10:00 a.m. (Pacific Time) at its Cupertino headquarters. The event will carry the theme “Awe dropping,” hinti ... Read more

Published Date: Aug 27, 2025 (1 day, 17 hours ago)
  • CybersecurityNews
CISA Warns of Trend Micro Apex One OS Command Injection Vulnerability Exploited in Attacks

CISA has issued a critical warning regarding a high-severity OS command injection vulnerability in Trend Micro Apex One Management Console that threat actors are actively exploiting in the wild. The v ... Read more

Published Date: Aug 19, 2025 (1 week, 2 days ago)
  • Daily CyberSecurity
CISA Flags Actively Exploited Trend Micro Apex One Vulnerability (CVE-2025-54948)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Trend Micro Apex One vulnerability—CVE-2025-54948—to its Known Exploited Vulnerabilities (KEV) Catalog, citing evi ... Read more

Published Date: Aug 19, 2025 (1 week, 2 days ago)
  • security.nl
Trend Micro dicht actief aangevallen kwetsbaarheid in Apex One-platform

Trend Micro heeft een actief aangevallen kwetsbaarheid in endpoint security platform Apex One gedicht. Het securitybedrijf kwam op 5 augustus al met een waarschuwing voor het probleem, aangeduid als C ... Read more

Published Date: Aug 18, 2025 (1 week, 3 days ago)
  • The Register
Trend Micro offers weak workaround for already-exploited critical vuln in management console

Infosec In Brief A critical vulnerability in the on-prem version of Trend Micro's Apex One endpoint security platform is under active exploitation, the company admitted last week, and there's no patch ... Read more

Published Date: Aug 10, 2025 (2 weeks, 3 days ago)
  • Help Net Security
Week in review: SonicWall firewalls targeted in ransomware attacks, Black Hat USA 2025

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Black Hat USA 2025 Black Hat USA 2025 took place at the Mandalay Bay Convention Center in Las Vegas. E ... Read more

Published Date: Aug 10, 2025 (2 weeks, 4 days ago)
  • Help Net Security
Microsoft urges admins to plug severe Exchange security hole (CVE-2025-53786)

“In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud e ... Read more

Published Date: Aug 07, 2025 (3 weeks ago)
  • Help Net Security
SonicWall: Attackers did not exploit zero-day vulnerability to compromise Gen 7 firewalls

Akira ransomware affiliates are not leveraging an unknown, zero-day vulnerability in SonicWall Gen 7 firewalls to breach corporate networks, the security vendor shared today. “Instead, there is a sign ... Read more

Published Date: Aug 07, 2025 (3 weeks ago)
  • Help Net Security
Energy companies are blind to thousands of exposed services

Many of America’s largest energy providers are exposed to known and exploitable vulnerabilities, and most security teams may not even see them, according to a new report from SixMap. Researchers asses ... Read more

Published Date: Aug 07, 2025 (3 weeks ago)
  • TheCyberThrone
Trend Micro Apex One Critical Vulnerabilities

August 7, 2025OverviewIn early August 2025, Trend Micro issued an urgent security bulletin disclosing two actively exploited critical vulnerabilities in its Apex One and Apex One as a Service (on-prem ... Read more

Published Date: Aug 07, 2025 (3 weeks ago)
  • Help Net Security
Adobe patches critical Adobe Experience Manager Forms vulnerabilities with public PoC

Adobe has released an emergency security update for Adobe Experience Manager Forms on Java Enterprise Edition (JEE), which fix two critical vulnerabilities (CVE-2025-54253, CVE-2025-54254) with a publ ... Read more

Published Date: Aug 06, 2025 (3 weeks, 1 day ago)
  • Help Net Security
Trend Micro Apex One flaws exploted in the wild (CVE-2025-54948, CVE-2025-54987)

Unauthenticated command injection vulnerabilities (CVE-2025-54948, CVE-2025-54987) affecting the on-premise version of Trend Micro’s Apex One endpoint security platform are being probed by attackers, ... Read more

Published Date: Aug 06, 2025 (3 weeks, 1 day ago)
  • BleepingComputer
Trend Micro warns of Apex One zero-day exploited in attacks

Trend Micro has warned customers to immediately secure their systems against an actively exploited remote code execution vulnerability in its Apex One endpoint security platform. Apex One is an endpoi ... Read more

Published Date: Aug 06, 2025 (3 weeks, 1 day ago)
  • security.nl
Trend Micro waarschuwt voor actief misbruik van Apex One-lek

Antivirusbedrijf Trend Micro waarschuwt klanten voor actief misbruik van een kritieke kwetsbaarheid in endpoint security platform Apex One en heeft een tijdelijke oplossing uitgebracht om organisaties ... Read more

Published Date: Aug 06, 2025 (3 weeks, 1 day ago)
  • The Hacker News
Trend Micro Confirms Active Exploitation of Critical Apex One Flaws in On-Premise Systems

Aug 06, 2025Ravie LakshmananVulnerability / Endpoint Security Trend Micro has released mitigations to address critical security flaws in on-premise versions of Apex One Management Console that it sa ... Read more

Published Date: Aug 06, 2025 (3 weeks, 1 day ago)
  • CybersecurityNews
Critical Trend Micro Apex One Management RCE Vulnerability Actively Exploited in the wild

Critical command injection remote code execution (RCE) vulnerabilities in Trend Micro Apex One Management Console are currently being actively exploited by threat actors. The company confirmed observi ... Read more

Published Date: Aug 06, 2025 (3 weeks, 1 day ago)
  • Daily CyberSecurity
Critical Command Injection Flaws in Trend Micro Apex One Actively Exploited

Trend Micro has issued an urgent advisory for two critical command injection vulnerabilities affecting its Apex One (on-prem) management console for Windows. Both vulnerabilities—CVE-2025-54948 and CV ... Read more

Published Date: Aug 05, 2025 (3 weeks, 1 day ago)

The following table lists the changes that have been made to the CVE-2025-54948 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Aug. 19, 2025

    Action Type Old Value New Value
    Added Date Added 2025-08-18
    Added Due Date 2025-09-08
    Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
    Added Vulnerability Name Trend Micro Apex One OS Command Injection Vulnerability
  • Initial Analysis by [email protected]

    Aug. 12, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CPE Configuration OR *cpe:2.3:a:trendmicro:apex_one:2019:*:*:*:on-premises:windows:*:*
    Added Reference Type Trend Micro, Inc.: https://success.trendmicro.com/en-US/solution/KA-0020652 Types: Patch, Vendor Advisory
  • New CVE Received by [email protected]

    Aug. 05, 2025

    Action Type Old Value New Value
    Added Description A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
    Added CWE CWE-78
    Added Reference https://success.trendmicro.com/en-US/solution/KA-0020652
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 9.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact