Cyber Resilience

CVE-2025-54948

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 05 August 2025

Published
05 August 2025
Modified
31 October 2025
KEV Added
18 August 2025
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
EPSS Score 0.1389 94.5th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54948 is a critical-severity OS Command Injection (CWE-78) vulnerability in Trendmicro Apex One. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability in the management console of Trend Micro Apex One (on-premise) permits a pre-authenticated remote attacker to upload malicious code and execute operating system commands on affected installations. The flaw is tracked as CVE-2025-54948 with a CVSS 3.1 score of 9.4 and is categorized under CWE-78 for improper neutralization of special elements used in an OS command.

An unauthenticated network attacker can exploit the issue without user interaction to achieve code execution with high impact on confidentiality and availability and limited impact on integrity. Because the attack requires no prior authentication, it can be launched directly against exposed management consoles.

The vendor advisory at success.trendmicro.com recommends applying the fixes referenced in solution KA-0020652. CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation and directing organizations to prioritize remediation.

EPSS scores for the vulnerability rose from a low baseline to a peak of 0.2244 with a current value of 0.1389, indicating growing exploitation interest after public disclosure.

EU & UK References

Vulnerability details

A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.

CWE(s)
KEV Date Added
18 August 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS command injection RCE in public-facing management console directly enables T1190 exploitation and T1059 command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-54987Same product: Trendmicro Apex One
CVE-2026-34930Same product: Trendmicro Apex One
CVE-2025-71216Same product: Trendmicro Apex One
CVE-2025-71217Same product: Trendmicro Apex One
CVE-2026-45207Same product: Trendmicro Apex One
CVE-2024-58104Same product: Trendmicro Apex One
CVE-2026-34928Same product: Trendmicro Apex One
CVE-2025-71211Same product: Trendmicro Apex One
CVE-2025-71212Same product: Trendmicro Apex One
CVE-2026-34929Same product: Trendmicro Apex One

Affected Assets

trendmicro
apex one
2019

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and patching of flaws like CVE-2025-54948 to eliminate the command injection vulnerability in the Apex One management console.

prevent

Mandates validation of all inputs to prevent OS command injection exploits, such as the malicious code upload in CVE-2025-54948.

detect

Enables proactive scanning to identify vulnerabilities like CVE-2025-54948 in the management console, supporting timely remediation.

References