ICS Labs Outbreak Alert - Trend Micro Apex One On-Premise Exploited

Trend Micro has issued an urgent alert regarding two critical command injection vulnerabilities (CVE-2025-54948 and CVE-2025-54987) in its Apex One management console (on-premises version), which are currently under active exploitation. These flaws allow unauthenticated remote code execution on affected systems.

Global threat intelligence repositories and telemetry data confirm that attackers are actively exploiting these vulnerabilities in real-world environments. The company strongly recommends the immediate application of mitigation measures and updates to prevent the vulnerabilities from being used for malware deployment, infostealers, or ransomware.

Impact 

The vulnerability affects on-premises versions of Apex One (Management Server Version 14039 and earlier), as well as Apex One as a Service and Trend Vision One Endpoint Security Standard Endpoint Protection (depending on the architecture). Systems may be compromised if the console is exposed to external IPs, enabling threat actors to use this vector to expand infections, steal data, or deploy ransomware.

Mitigation and Recommendations

• Apply the temporary mitigation by disabling the Remote Install Agent function, preventing the deployment of agents from the console.

• Implement network-level access restrictions for externally exposed consoles.

• Trend Micro expects to release a full patch by mid-August 2025. Until then, ensure that all systems are running the latest software versions.

  
  

Latest Updates

• August 6, 2025: Active exploitation confirmed; mitigation available.

• August 7, 2025: Urgent update released; severity score assigned: 9.4/10.