Latest Trend Micro Apex One vulnerabilities #
Trend Micro has disclosed two OS command injection vulnerabilities in certain versions of its Apex One Management Console (on-premises). The vulnerabilities are the result of improper validation of a user-supplied string before it is used to execute a system call. Successful exploitation may allow a remote, unauthenticated adversary to upload malicious code and execute commands in the context of IUSR on affected installations. The vulnerabilities have been designated CVE-2025-54987 and CVE-2025-54948 and have been rated critical with a CVSS score of 9.4. Note that CVE-2025-54987 describes the same vulnerability as CVE-2025-54948 but targets a different CPU architecture.
There is evidence that these vulnerabilities are being actively exploited in the wild.
The following versions are affected
- Apex One (on-premise) versions 2019 (14.0) prior to 14.0.0.14039
What is the impact? #
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- Apex One (on-premise) upgrade to version 14.0.0.14039 or later
How to find potentially vulnerable systems with runZero #
From the Service inventory, use the following query to locate potentially vulnerable assets:
_asset.protocol:http AND protocol:http AND has:html.body AND html.body:"officescan/console/html/cgi/cgiChkMasterPwd.exe"
