A significant remote code execution vulnerability in Trend Micro Apex One Management is currently being actively exploited in real-world scenarios.

Critical command injection remote code execution (RCE) vulnerabilities in Trend Micro Apex One Management Console are currently being actively exploited by threat actors. The company has confirmed observing at least one instance of attempted exploitation in production environments, prompting the immediate release of emergency mitigation tools. Two RCE vulnerabilities, designated as CVE-2025-54948 and CVE-2025-54987, have been identified in Trend Micro Apex One (on-premise) systems. Both vulnerabilities carry a CVSS 3.1 score of 9.4, indicating maximum severity risk. These command injection flaws, categorised under CWE-78: OS Command Injection, allow pre-authenticated remote attackers to upload malicious code and execute arbitrary commands on affected installations. The vulnerabilities specifically target Trend Micro Apex One Management Server Version 14039 and below on Windows platforms.

Trend Micro has released an emergency fix tool, designated FixTool_Aug2025.exe, to provide immediate protection against known exploits. This short-term mitigation fully protects against current attack methods but temporarily disables the Remote Install Agent function for deploying agents from the Management Console. Organisations using Trend Micro Apex One as a Service and Trend Vision One Endpoint Security received automatic protection through backend mitigations deployed on July 31, 2025, requiring no service downtime. A comprehensive Critical Patch is expected for release in mid-August 2025, which will restore full Remote Install Agent functionality while maintaining security protections. Security experts strongly recommend applying the emergency fix now for Apex One Management Server Version 14039 and below to mitigate risks associated with these critical vulnerabilities.