- Trend Micro warns its customers about a critical-severity flaw in its endpoint protection solution
- It released a mitigation as it works on a patch
- Users are advised to apply the mitigations as soon as possible
Trend Micro is warning customers of an ongoing attack which abuses a critical severity vulnerability in one of its products.
The company said it recently discovered a command injection vulnerability in its on-prem version of the Apex One Management Console – an advanced endpoint security solution designed to protect enterprise networks from a wide range of threats.
The vulnerability is tracked as either CVE-2025-54948, or CVE-2025-54987, depending on the CPU architecture, and was assigned a severity score of 9.4/10 (critical). It allows threat actors to remotely run arbitrary code, including malware.
Working on a patch
Trend Micro said it aims to release a patch in mid-August 2025, which should also restore this function.
“For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console’s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied,” the company said.
“However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.”
So far, the company has seen at least one attack taking place in the wild, although it did not detail where, against whom, if it was effective, or who the threat actors are.
Since Apex One is mostly used in enterprise environments, and the bug allows remote code execution, it is safe to assume miscreants are using it to drop infostealers and ransomware encryptors, while stealing sensitive files for extortion.
With the flaws now being being abused in the wild, Trend Micro released a mitigation measure to help defend its customers as it works on a patch. The mitigation, according to the Japanese CERT, disables admins from using the Remote Install Agent function to deploy agents from the console.
Via BleepingComputer