CVE-2025-54948
Published: 05 August 2025
Summary
CVE-2025-54948 is a critical-severity OS Command Injection (CWE-78) vulnerability in Trendmicro Apex One. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and patching of flaws like CVE-2025-54948 to eliminate the command injection vulnerability in the Apex One management console.
Mandates validation of all inputs to prevent OS command injection exploits, such as the malicious code upload in CVE-2025-54948.
Enables proactive scanning to identify vulnerabilities like CVE-2025-54948 in the management console, supporting timely remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection RCE in public-facing management console directly enables T1190 exploitation and T1059 command execution.
NVD Description
A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.
Deeper analysisAI
CVE-2025-54948 is a vulnerability in the Trend Micro Apex One (on-premise) management console that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. It is classified under CWE-78 (OS Command Injection) and carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H), reflecting its high severity due to network-based access, low attack complexity, no user interaction required, and potential for high impact on confidentiality and availability with low integrity impact.
A pre-authenticated remote attacker can exploit this vulnerability over the network without privileges (per CVSS PR:N) to upload malicious code directly to the management console. Successful exploitation enables arbitrary command execution on the affected system, potentially allowing full compromise of the Apex One installation and undermining endpoint protection capabilities.
Trend Micro provides mitigation details in their security advisory at https://success.trendmicro.com/en-US/solution/KA-0020652, which likely includes patching instructions for affected versions. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54948, indicating active exploitation and recommending immediate remediation.
This CVE's presence in the CISA KEV catalog confirms real-world exploitation, emphasizing the need for security practitioners to prioritize patching Apex One management consoles exposed to the internet.
Details
- CWE(s)
- KEV Date Added
- 18 August 2025