Trend Micro warns of Apex One zero-day exploited in attacks

Trend Micro has warned customers to immediately secure their systems against an actively exploited remote code execution vulnerability in its Apex One endpoint security platform.

Apex One is an endpoint security platform designed to automatically detect and respond to threats, including malicious tools, malware, and vulnerabilities.

This critical security flaw (tracked as CVE-2025-54948 and CVE-2025-54987 depending on the CPU architecture) is due to a command injection weakness in the Apex One Management Console (on-premise) that enables pre-authenticated attackers to execute arbitrary code remotely on systems running unpatched software.

Trend Micro has yet to issue security updates to patch this actively exploited vulnerability, but it has released a mitigation tool that provides short-term mitigation against exploitation attempts.

The Japanese CERT also issued an alert regarding the active exploitation of the two flaws, urging users to mitigate them as soon as possible.

"While it will fully protect against known exploits, it will disable the ability for administrators to utilize the Remote Install Agent function to deploy agents from the Trend Micro Apex One Management Console," the company explained in a Tuesday advisory.

"Trend Micro has observed as least one instance of an attempt to actively exploit one of these vulnerabilities in the wild."

Security patches coming mid-August

The company said it will release a patch around the middle of August 2025, which will also restore the Remote Install Agent functionality disabled by the mitigation tool.

Until a security patch is available, Trend Micro urged administrators to promptly secure vulnerable endpoints, even if this means temporarily losing remote management capabilities.

"For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console's IP address exposed externally should consider mitigating factors such as source restrictions if not already applied," it added.

"However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible."

Trend Micro has patched two other Apex One zero-day vulnerabilities, one of them exploited in the wild in September 2022 (CVE-2022-40139) and another in September 2023 (CVE-2023-41179).

Earlier this month, the company also addressed multiple critical-severity remote code execution and authentication bypass flaws in its Apex Central and Endpoint Encryption (TMEE) PolicyServer products.