CVE-2025-54987
Published: 05 August 2025
Summary
CVE-2025-54987 is a critical-severity OS Command Injection (CWE-78) vulnerability in Trendmicro Apex One. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability tracked as CVE-2025-54987 affects the management console of Trend Micro Apex One (on-premise). The flaw permits a remote attacker to upload malicious code and execute commands on affected systems. It is functionally identical to CVE-2025-54948 except that it targets a different CPU architecture, and it is associated with CWE-78.
The issue can be exploited by an unauthenticated remote attacker over the network without user interaction. Successful exploitation yields command execution with impacts rated high for confidentiality and availability and low for integrity under CVSS 9.4.
The EPSS score has remained flat at 0.0328 with no material increase since disclosure, and no public references describe active exploitation or patches. A Trend Micro advisory is available at the listed URL for organizations seeking official guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23620
Vulnerability details
A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing management console directly enables remote exploitation for initial access (T1190) and arbitrary command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the OS command injection vulnerability through timely application of vendor patches for the Trend Micro Apex One management console.
Validates and sanitizes inputs to the management console to block malicious payloads that enable command injection and arbitrary code execution.
Scans uploaded content at system boundaries and internally to detect and block malicious code before it can be executed on the server.