Critical Trend Micro Apex One Vulnerabilities Added to CISA’s Exploited Flaws Catalog: What You Need to Know

TL;DR

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability (CVE-2025-54948) in Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, along with CVE-2025-54987, allows remote code execution (RCE) and has been actively exploited in the wild. Organizations using Apex One on-premise consoles are urged to apply patches immediately to prevent potential cyberattacks. Federal agencies must address the issue by September 8, 2025.

---

Introduction

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken urgent action by adding a critical vulnerability in Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE-2025-54948, poses a significant risk as it enables remote code execution (RCE) and has been actively exploited by threat actors. This development underscores the importance of timely patching and proactive cybersecurity measures to safeguard critical systems.

In this article, we explore:

• The details of the vulnerabilities (CVE-2025-54948 and CVE-2025-54987).
• The potential impact on organizations using Trend Micro Apex One.
• Mitigation steps and recommendations for affected users.
• CISA’s directives for federal agencies and private organizations.

---

Critical Vulnerabilities in Trend Micro Apex One

Overview of the Flaws

On August 18, 2025, CISA added CVE-2025-54948 to its KEV catalog, following Trend Micro’s disclosure of two critical vulnerabilities in its Apex One on-premise management console. Both vulnerabilities are command injection flaws that allow pre-authenticated remote attackers to upload malicious code and execute arbitrary commands on affected systems.

The two vulnerabilities are:

1. CVE-2025-54948:
   • A command injection RCE vulnerability in the Apex One management console.
   • Enables attackers to upload and execute malicious code on vulnerable installations.
   • CVSS score: 9.4 (Critical severity).
2. CVE-2025-54987:
   • Similar to CVE-2025-54948 but targets a different CPU architecture.
   • Also allows remote code execution with the same level of severity.

Both vulnerabilities were reported by Jacky Hsieh at CoreCloud Tech, in collaboration with the Trend Micro Zero Day Initiative.

---

Active Exploitation in the Wild

Trend Micro confirmed that at least one of these vulnerabilities has been actively exploited in cyberattacks¹. While the company has not disclosed specific details about the attacks, the urgency of patching cannot be overstated. Organizations using Apex One on-premise consoles are at immediate risk if they have not applied the necessary fixes.

“Trend Micro has observed at least one instance of an attempt to actively exploit one of these vulnerabilities in the wild.” — Trend Micro Advisory

---

Impact and Mitigation Steps

Who Is Affected?

• Organizations using Trend Micro Apex One (on-premise) are directly impacted.
• Federal agencies are required to address the vulnerability by September 8, 2025, per CISA’s Binding Operational Directive (BOD) 22-01.
• Private organizations are strongly advised to review and patch their systems to prevent exploitation.

---

Mitigation Measures

Trend Micro has released temporary fixes and long-term patches to address these vulnerabilities:

1. For Apex One as a Service (SaaS) Users:
   • Mitigations were deployed as of July 31, 2025.
2. For On-Premise Users:
   • A temporary fix tool is available here.
   • This tool blocks known exploits but disables the Remote Install Agent feature in the console.
   • A full patch is expected by mid-August 2025.
3. General Recommendations:
   • Restrict remote access to the Apex One Management Console.
   • Apply source restrictions if the console’s IP address is exposed externally.
   • Review and update perimeter security policies to prevent unauthorized access.

---

CISA’s Directive and Broader Implications

Federal Agencies Must Act by September 8, 2025

Under BOD 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to address identified vulnerabilities by the specified deadline to protect their networks from exploitation.

Recommendations for Private Organizations

While CISA’s directive primarily targets federal agencies, private organizations are strongly encouraged to:

• Review the Known Exploited Vulnerabilities Catalog.
• Patch vulnerable systems immediately.
• Monitor for suspicious activity that may indicate exploitation attempts.

---

Conclusion

The addition of CVE-2025-54948 to CISA’s KEV catalog highlights the critical nature of these Trend Micro Apex One vulnerabilities. With active exploitation already observed, organizations must prioritize patching and enhance their security posture to mitigate risks.

Failure to address these vulnerabilities could result in severe consequences, including data breaches, ransomware attacks, or unauthorized system access. By following CISA’s guidelines and Trend Micro’s recommendations, organizations can protect their infrastructure and minimize exposure to cyber threats.

Stay informed and proactive—cybersecurity is a continuous effort.

---

Additional Resources

For further insights, check:

• CISA’s Known Exploited Vulnerabilities Catalog
• Trend Micro Advisory on CVE-2025-54948 and CVE-2025-54987
• CISA’s Binding Operational Directive (BOD) 22-01

---

References

1. Trend Micro. (2025). “Solution: Trend Micro Apex One Vulnerabilities (CVE-2025-54948, CVE-2025-54987)”. Retrieved 2025-08-19. ↩︎