Cloud Vulnerability DB
A community-led vulnerabilities database
Introducing Wiz for Exposure Management: Unify, prioritize, and remediate exposures everywhere.
Vulnerability DatabaseCVE-2025-54987
CVE-2025-54987:
Trend Micro Apex One Agent vulnerability analysis and mitigation
Overview
A critical vulnerability (CVE-2025-54987) has been identified in Trend Micro Apex One (on-premise) management console that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. The vulnerability, discovered on August 1st, 2025, affects Trend Micro Apex One version 2019 Management Server Version 14039 and below on Windows platforms. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture (Trend Advisory, ZDI Advisory).
Technical details
The vulnerability has been assigned a CVSS v3.1 base score of 9.4 (CRITICAL) with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H. The specific flaw exists within the Apex One console, which listens on TCP ports 8080 and 4343 by default. The issue stems from improper validation of user-supplied strings before their use in system calls, classified as CWE-78 (OS Command Injection). An attacker can leverage this vulnerability to execute code in the context of IUSR (ZDI Advisory).
Impact
The vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Apex One without requiring authentication. This could potentially lead to complete system compromise, with attackers gaining the ability to execute commands with IUSR privileges (ZDI Advisory, Help Net Security).
Mitigation and workarounds
Trend Micro has released a temporary fix tool (FixTool_Aug2025) as a short-term mitigation. While this tool fully protects against known exploits, it disables the Remote Install Agent function for agent deployment from the Management Console. Other agent install methods such as UNC path or agent package remain unaffected. A formal patch is expected to be released in mid-August 2025. Organizations are advised to review remote access to critical systems and implement source restrictions for exposed console IP addresses (Trend Advisory).
Community reactions
The cybersecurity community has responded with heightened concern due to the critical nature of the vulnerability and its active exploitation in the wild. Security researchers and organizations are strongly encouraging affected users to implement the temporary fix immediately while awaiting the formal patch (Help Net Security).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management