CVE-2025-54987: 
Trend Micro Apex One Agent vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-54987) was discovered in Trend Micro Apex One (on-premise) management console that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. The vulnerability was discovered on August 1, 2025, and publicly disclosed on August 5, 2025. This vulnerability affects Trend Micro Apex One (on-prem) version 2019 - Management Server Version 14039 and below running on Windows systems. The vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture (ZDI Advisory, Trend Advisory).

The vulnerability stems from the lack of proper validation of a user-supplied string before using it to execute a system call in the Apex One console, which listens on TCP ports 8080 and 4343 by default. The flaw allows an attacker to execute code in the context of IUSR. The vulnerability has been assigned a CVSS v3.1 score of 9.4 (Critical) with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H and is classified as CWE-78: OS Command Injection (ZDI Advisory).

The vulnerability allows pre-authenticated remote attackers to execute arbitrary code on affected installations of Trend Micro Apex One. This could potentially lead to complete system compromise, as attackers could upload and execute malicious code on affected systems. The impact is particularly severe as it requires no authentication to exploit (Help Net Security).

Trend Micro has released a short-term mitigation tool (FixTool_Aug2025) on August 6, 2025, which fully protects against known exploits but disables the Remote Install Agent function. A permanent patch (SP1 CP B14081) was released on August 15, 2025, which restores the Remote Install Agent functionality. Organizations are advised to implement source IP restrictions if their console is exposed externally. Other agent install methods such as UNC path or agent package remain unaffected by the mitigation (Trend Advisory).

The security community has responded with heightened concern due to the active exploitation of the vulnerability. CISA has added the related vulnerability CVE-2025-54948 to its Known Exploited Vulnerabilities catalog, highlighting the severity of these flaws (Help Net Security).