Introduction
Attackers can gain remote command execution on Trend Micro Apex One management consoles without authentication, enabling malicious code upload and full compromise of the security platform. This vulnerability directly impacts enterprise environments relying on Trend Micro for endpoint protection, making it a high-priority risk for security teams.
About Trend Micro Apex One: Trend Micro is a major global cybersecurity vendor with a broad portfolio of security products. Apex One is its flagship endpoint security platform, widely deployed in large enterprises for threat detection, response, and policy enforcement. A compromise of Apex One management infrastructure can undermine the security posture of entire organizations.
Technical Information
CVE-2025-54987 is an OS command injection vulnerability (CWE-78) in the Trend Micro Apex One (on-premise) management console. The vulnerability allows a pre-authenticated remote attacker to upload malicious code and execute arbitrary system commands on the affected installation. The flaw is present in the command processing logic of the management console, where crafted input is not properly validated or sanitized, leading to direct execution of attacker-supplied commands.
Key technical details:
- Attack vector: Network (AV:N)
- Attack complexity: Low (AC:L)
- Privileges required: None (PR:N)
- User interaction: None (UI:N)
- Scope: Unchanged (S:U)
- Confidentiality impact: High (C:H)
- Integrity impact: Low (I:L)
- Availability impact: High (A:H)
The vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture. It is tracked as ZDI-CAN-27855 by the Zero Day Initiative. Exploitation requires only network access to the management console, with no need for valid credentials or user interaction. Attackers can craft payloads to exploit insufficient input validation, resulting in arbitrary command execution within the management console context.
Affected Systems and Versions
- Trend Micro Apex One (on-premise) 2019 Management Server Version 14039
- Only the management console component is affected
- The vulnerability targets a specific CPU architecture (distinct from CVE-2025-54948)
Vendor Security History
Trend Micro has experienced a series of critical vulnerabilities in 2025 affecting Apex One, Apex Central, and Endpoint Encryption PolicyServer. Notable recent issues include:
- Five critical vulnerabilities in Apex One disclosed in June 2025 (CVSS 6.7 to 8.8)
- Additional critical flaws in Apex Central and PolicyServer
- Regular collaboration with the Zero Day Initiative and external researchers
- Vendor response includes rapid release of fix tools and advisories, but the pattern of repeated critical flaws suggests underlying challenges in secure development and QA