What is CVE-2025-54948 and how severe is it?

CVE-2025-54948 has a CVSS score of 9.4, making it critically severe. This vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.

How does CVE-2025-54987 differ from CVE-2025-54948?

CVE-2025-54987 also has a CVSS score of 9.4 and represents essentially the same vulnerability as CVE-2025-54948, but targets a different CPU architecture. Both allow pre-authenticated remote attackers to upload malicious code and execute commands on affected Trend Micro Apex One management consoles.

Which versions of Trend Micro Apex One are affected?

These vulnerabilities affect Trend Micro Apex One 2019 Management Server Version 14039 and below. Organizations should check their version numbers to determine if they are running vulnerable installations.

Has Trend Micro released patches for these critical vulnerabilities?

Trend Micro has not yet issued security updates to patch these actively exploited vulnerabilities. However, the company has released a mitigation tool called 'FixTool_Aug2025' that provides short-term mitigation against exploitation attempts.

What is the FixTool_Aug2025 and how does it help?

FixTool_Aug2025 is a mitigation tool released by Trend Micro that provides short-term protection against exploitation attempts for the critical vulnerabilities CVE-2025-54948 and CVE-2025-54987. This tool serves as a temporary measure while organizations wait for official security patches.

What should organizations with on-premise Trend Micro Apex One installations do immediately?

Organizations with on-premise installations should immediately disable the management console on vulnerable endpoints, deploy the FixTool_Aug2025 mitigation tool, and monitor for any suspicious activity. They should also prepare to apply official security patches as soon as Trend Micro releases them.

Advisory

Critical flaws in Trend Micro Apex One Management Console actively exploited

Q: Are these Trend Micro vulnerabilities being actively exploited?

Yes, Trend Micro confirmed they have 'observed at least one instance of an attempt to actively exploit one of these vulnerabilities in the wild.' The Japanese CERT also issued an alert regarding the active exploitation of the two flaws, urging users to mitigate the issue as soon as possible.

published: Aug. 6, 2025

Take action: If you're running on-premise Trend Micro Apex One 2019 (version 14039 or below), immediately download and run the "FixTool_Aug2025" mitigation tool. Your Apex One console is actively exploited. Then reach-out to Trend Micro for a patch and apply it as soon as it's available.

Learn More

Trend Micro released an emergency security bulletin addressing critical command injection vulnerabilities in its Apex One endpoint security platform that are being actively exploited by attackers.

Vulnerabilities summary

CVE-2025-54948 (CVSS score 9.4) - A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations
CVE-2025-54987 (CVSS score 9.4) - A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This flaw is essentially represents the same vulnerability as CVE-2025-54948 but targets a different CPU architecture.

These vulnerabilities affect Trend Micro Apex One 2019 Management Server Version 14039 and below.

Until a security patch is available, Trend Micro urged administrators to disable the management console on vulnerable endpoints, even if this means temporarily losing remote management capabilities.

Trend Micro said it "observed at least one instance of an attempt to actively exploit one of these vulnerabilities in the wild." The Japanese CERT also issued an alert regarding the active exploitation of the two flaws, urging users to mitigate the issue as soon as possible

Organizations using Trend Micro Apex One as a Service and Trend Vision One Endpoint Security received automatic protection through backend mitigations deployed on July 31, 2025, without service downtime. On-premise installations remain vulnerable until a patch or mitigation is applied.

Trend Micro has yet to issue security updates to patch this actively exploited vulnerability, but it has released a mitigation tool "FixTool_Aug2025" that provides short-term mitigation against exploitation attempts.

Update - as of 19th of August 2025, CISA confirms active exploitation of CVE-2025-54948. Trend Micro has released a final patch for the flaw. The initially published patch "FixTool_Aug2025" was classified as provisional, as it stalled the remote install function.

Critical flaws in Trend Micro Apex One Management Console actively exploited

Read More
CISA warns of GeoServer critical flaw under active …
Broadcom confirms active exploitation of two vulnerabilities in …
CISA reports active exploitation of GeoServer XXE flaw
Atlassian releases security updates for server instances
Cisco reports critical flaw in Cisco Secure Email …