CVE-2025-47867
Published: 17 June 2025
Summary
CVE-2025-47867 is a high-severity Injection (CWE-74) vulnerability in Trendmicro Apex Central. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 16.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A Local File Inclusion vulnerability exists in a widget component of Trend Micro Apex Central versions below 8.0.6955. The flaw, tracked as CVE-2025-47867, permits an attacker to supply arbitrary files that are then executed as PHP code, resulting in remote code execution on the affected server. The issue carries a CVSS 3.1 score of 7.5 and is associated with CWE-74.
An attacker with low-privileged network access can exploit the vulnerability, although successful exploitation requires high attack complexity and no user interaction. Successful exploitation grants the attacker full confidentiality, integrity, and availability impact on the target installation.
Vendor guidance and additional technical details are available in the Trend Micro solution article KA-0019355 and the Zero Day Initiative advisory ZDI-25-297. The EPSS score for this CVE remains flat at 0.0181 with no material increase observed since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18517
Vulnerability details
A Local File Inclusion vulnerability in a Trend Micro Apex Central widget in versions below 8.0.6955 could allow an attacker to include arbitrary files to execute as PHP code and lead to remote code execution on affected installations.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.