Trend Micro is urging users of the on-premises version of its Apex One endpoint security solution to install a fix that mitigates two zero-day vulnerabilities.
An advisory published by the security firm on Tuesday warns customers that two critical vulnerabilities tracked as CVE-2025-54948 and CVE-2025-54987 have been exploited in the wild in at least one instance.
The security holes, described as OS command injection issues, impact the Apex One management console and they can be exploited by a remote, unauthenticated attacker to upload malicious code and execute commands on impacted installations.
CVE-2025-54987 is described as “essentially the same as CVE-2025-54948” but affecting a different CPU architecture.
“For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console’s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied,” Trend Micro told customers.
According to advisories published by ZDI, the vulnerabilities were reported to Trend Micro on August 1 and it seems the company rushed to address them with the release of a ‘short-term mitigation’ tool. A full patch is expected to be released in mid-August.
“The fix tool is a short-term mitigation, and while it will fully protect against known exploits, it will disable the ability for administrators to utilize the Remote Install Agent function to deploy agents from the Trend Micro Apex One Management Console,” Trend Micro said.
No information has been shared on the zero-day attacks exploiting CVE-2025-54948 and/or CVE-2025-54987, but Chinese cyberspies have been known to target Trend Micro product vulnerabilities.
Jacky Hsieh of Taiwan-based cybersecurity company CoreCloud Tech has been credited for reporting the vulnerabilities. Considering that Taiwan is often a target of Chinese APT attacks, this suggests that Chinese threat actors may be behind the latest Trend Micro zero-day exploitation.
It’s not uncommon for threat actors to target Trend Micro product vulnerabilities in their attacks. CISA’s Known Exploited Vulnerabilities (KEV) catalog shows that ten Trend Micro flaws have been exploited in the wild since 2018.
*updated to clarify that only a mitigation tool is available rather than actual patches
Related: ESET Vulnerability Exploited for Stealthy Malware Execution
Related: Critical Vulnerabilities Patched in Trend Micro Apex Central, Endpoint Encryption
Related: Trend Micro Patches Another Apex One Vulnerability Exploited in Attacks
