On 5 August 2025, Trend Micro released a short-term mitigation tool addressing two critical command injection vulnerabilities (CVE-2025-54948 and CVE-2025-54987) in Apex One. These flaws affect the on-premise Apex One Management Console and have been exploited in the wild. Both stem from a command injection issue that allows unauthenticated, remote threat actors to execute arbitrary code on vulnerable systems. While the vulnerabilities are similar, they differ based on the targeted CPU architectures.
The mitigation tool fully blocks known exploits but disables the ability for administrators to use the Remote Install Agent function to deploy agents from the Apex One Management Console. An official patch for the on-premise Management Console is expected around mid-August 2025. Trend Micro will update their advisory once it becomes available. No action is required for Trend Micro Apex One as a Service customers, as the fix has been automatically applied.
At the time of writing, Arctic Wolf has not identified any publicly available proof-of-concept exploits. However, threat actors are likely to continue targeting these vulnerabilities, given their active exploitation, the absence of an official patch, and Apex One’s history of being targeted, as noted in CISA’s Known Exploited Vulnerabilities Catalog.
Recommendations
Implement Mitigation Tool
Arctic Wolf strongly recommends that customers implement the mitigation tool until an official patch is available.
| Product | Affected Version | Fixed Version |
| Trend Micro Apex One (on-premise) | 2019 – Management Server Version 14039 and below | FixTool_Aug2025 (Short Term Mitigation)
|
- Note: Trend Micro Apex One as a Service and Trend Vision One Endpoint Security (Standard Endpoint Protection) were fixed on July 31, and no customer action is required.
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Remove Apex One Management Console from the Public Internet
Consider removing the Apex One Management Console from being exposed on the public internet to reduce your attack surface and limit the risk of remote exploitation from this or future vulnerabilities. Trend Micro advises customers with externally exposed console IP addresses to apply mitigating controls, such as source IP restrictions if not already in place, and restrict access to trusted networks.
References
Resources
Understand the threat landscape, and how to better defend your organisation, with the 2025 Arctic Wolf Threat Report.
See how Arctic Wolf utilises threat intelligence to harden your attack surface and stop threats earlier and faster.
