Cloud Vulnerability DB
A community-led vulnerabilities database
Introducing Wiz for Exposure Management: Unify, prioritize, and remediate exposures everywhere.
Vulnerability DatabaseCVE-2025-54948
CVE-2025-54948:
Trend Micro Apex One Agent vulnerability analysis and mitigation
Overview
A critical vulnerability (CVE-2025-54948) was discovered in Trend Micro Apex One (on-premise) management console that could allow pre-authenticated remote attackers to upload malicious code and execute commands on affected installations. The vulnerability was disclosed on August 5, 2025, and affects Trend Micro Apex One 2019 Management Server Version 14039 and below. The flaw carries a CVSS score of 9.4, indicating critical severity (ZDI Advisory, Trend Micro Advisory).
Technical details
The vulnerability exists within the Apex One console, which listens on TCP ports 8080 and 4343 by default. The specific flaw stems from improper validation of user-supplied strings before using them to execute system calls, classified as CWE-78 (OS Command Injection). An attacker can leverage this vulnerability to execute code in the context of IUSR. The vulnerability requires no authentication to exploit and has been assigned a CVSS v3.1 score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H) (ZDI Advisory, Trend Micro Advisory).
Impact
The vulnerability allows attackers to execute arbitrary code on affected installations without requiring authentication. This could potentially lead to complete system compromise, with attackers gaining the ability to upload and execute malicious code on affected systems. The impact is particularly severe for organizations with externally exposed management console IP addresses (Help Net Security).
Mitigation and workarounds
Trend Micro has released a temporary mitigation tool (FixTool_Aug2025) to address the vulnerability. While this tool provides protection against known exploits, it disables the Remote Install Agent function for deploying agents from the management console. Alternative deployment methods such as UNC path or agent package remain unaffected. A comprehensive Critical Patch is expected to be released in mid-August 2025, which will restore the Remote Install Agent functionality. Organizations are advised to implement source restrictions if their console's IP address is exposed externally (Trend Micro Advisory).
Community reactions
The vulnerability has garnered significant attention in the cybersecurity community due to its critical nature and active exploitation in the wild. Security researchers and industry experts have emphasized the urgency of applying the temporary fix while awaiting the comprehensive patch. The discovery involved collaboration between Trend Micro's Incident Response Team and external security researcher Jacky Hsieh from CoreCloud Tech, working through the Trend Zero Day Initiative (GBHackers).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management