Trend Micro Patches Critical RCE and Privilege Escalation Flaws in Apex One

Trend Micro released a critical patch for its Apex One malware protection platform to patch eight security vulnerabilities. The most severe issues allow unauthenticated remote code execution on the management console.

Vulnerabilities summary:

• CVE-2025-71210 (CVSS score 9.8) - A directory traversal vulnerability in the management console that allows remote attackers to upload malicious code. By exploiting improper path validation, an attacker can place executable files in sensitive directories to run commands with system privileges. This flaw requires network access to the console interface but does not require authentication.
• CVE-2025-71211 (CVSS score 9.8) - A directory traversal vulnerability similar to CVE-2025-71210 but affecting a different executable within the management console. Attackers can bypass security checks to write arbitrary files to the server, leading to full remote code execution. The impact results in total system takeover if the console is accessible.
• CVE-2025-71212 (CVSS score 7.8) - A link following vulnerability in the scan engine that enables local privilege escalation. An attacker with low-privileged access can create symbolic links that the scan engine follows, allowing them to modify protected system files. This results in the attacker gaining higher-level system permissions.
• CVE-2025-71213 (CVSS score 7.8) - An origin validation error that allows local users to escalate their privileges on Windows systems. The software fails to properly verify the source of specific requests, letting an attacker spoof legitimate internal communications. This bypasses access controls to grant the attacker administrative rights.
• CVE-2025-71215 (CVSS score 7.8) - A time-of-check time-of-use (TOCTOU) vulnerability in the macOS agent signature verification process. Attackers can replace a legitimate file with a malicious one after the system verifies it but before it executes. This race condition allows the execution of unauthorized code with elevated privileges.
• CVE-2025-71216 (CVSS score 7.8) – Agent Cache Mechanism Time-of-Check Time-of-Use Local Privilege Escalation Vulnerability
• CVE-2025-71217 (CVSS score 7.8) – Agent Self Protection Origin Validation Error Local Privilege Escalation Vulnerability
• CVE-2025-71214 (CVSS score 7.2) – Agent iCore Service Origin Validation Error Local Privilege Escalation Vulnerability

The vulnerabilities primarily impact Trend Micro Apex One 2019 (On-prem) running on Windows. The macOS vulnerabilities (CVE-2025-71214 through CVE-2025-71217) were previously addressed in mid-2025 for SaaS users but are now formally documented for all customers. 

The update also includes improved protections for CVE-2025-54987 (CVSS score 9.8) and CVE-2025-54948 (CVSS score 9.8), which were previously exploited in active attack campaigns during August 2025. Administrators should verify that all endpoints, including those managed via SaaS, are running the latest agent versions to ensure these enhancements are active.

Successful exploitation of the critical directory traversal flaws allows attackers to gain full control over the Apex One management server. From this position, they can disable security policies, deploy malware across the network, or exfiltrate sensitive endpoint data. The local privilege escalation flaws on Windows and Mac allow attackers who have already breached a system to deepen their foothold and bypass endpoint protection mechanisms. 

These flaws affect both Windows and macOS platforms. Trend Micro has already patched these issues for Software-as-a-Service (SaaS) users but administrators of on-premises installations must manually apply updates to prevent potential system takeovers. 

Administrators using on-premises Apex One 2019 must update to Critical Patch (CP) Build 14136 ASAP. For those using Apex One as a Service or Trend Vision One Endpoint, ensure the Security Agent is at version 14.0.20315 or later. Trend Micro strongly recommends restricting access to the management console to trusted internal IP addresses only to mitigate the risk of remote exploitation.