Trend Micro Apex One CVE-2025-54987: Brief Summary of Critical Command Injection Vulnerability

This post provides a brief summary of CVE-2025-54987, a critical command injection vulnerability in Trend Micro Apex One (on-premise) management console. The vulnerability allows pre-authenticated remote attackers to upload malicious code and execute commands, affecting version 2019 Management Server Version 14039. Includes technical details, affected versions, vendor security history, and reference links.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-05

Trend Micro Apex One CVE-2025-54987: Brief Summary of Critical Command Injection Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can gain remote command execution on Trend Micro Apex One management consoles without authentication, enabling malicious code upload and full compromise of the security platform. This vulnerability directly impacts enterprise environments relying on Trend Micro for endpoint protection, making it a high-priority risk for security teams.

About Trend Micro Apex One: Trend Micro is a major global cybersecurity vendor with a broad portfolio of security products. Apex One is its flagship endpoint security platform, widely deployed in large enterprises for threat detection, response, and policy enforcement. A compromise of Apex One management infrastructure can undermine the security posture of entire organizations.

Technical Information

CVE-2025-54987 is an OS command injection vulnerability (CWE-78) in the Trend Micro Apex One (on-premise) management console. The vulnerability allows a pre-authenticated remote attacker to upload malicious code and execute arbitrary system commands on the affected installation. The flaw is present in the command processing logic of the management console, where crafted input is not properly validated or sanitized, leading to direct execution of attacker-supplied commands.

Key technical details:

  • Attack vector: Network (AV:N)
  • Attack complexity: Low (AC:L)
  • Privileges required: None (PR:N)
  • User interaction: None (UI:N)
  • Scope: Unchanged (S:U)
  • Confidentiality impact: High (C:H)
  • Integrity impact: Low (I:L)
  • Availability impact: High (A:H)

The vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture. It is tracked as ZDI-CAN-27855 by the Zero Day Initiative. Exploitation requires only network access to the management console, with no need for valid credentials or user interaction. Attackers can craft payloads to exploit insufficient input validation, resulting in arbitrary command execution within the management console context.

Affected Systems and Versions

  • Trend Micro Apex One (on-premise) 2019 Management Server Version 14039
  • Only the management console component is affected
  • The vulnerability targets a specific CPU architecture (distinct from CVE-2025-54948)

Vendor Security History

Trend Micro has experienced a series of critical vulnerabilities in 2025 affecting Apex One, Apex Central, and Endpoint Encryption PolicyServer. Notable recent issues include:

  • Five critical vulnerabilities in Apex One disclosed in June 2025 (CVSS 6.7 to 8.8)
  • Additional critical flaws in Apex Central and PolicyServer
  • Regular collaboration with the Zero Day Initiative and external researchers
  • Vendor response includes rapid release of fix tools and advisories, but the pattern of repeated critical flaws suggests underlying challenges in secure development and QA

References

Detect & fix
what others miss