Cyber Resilience

CVE-2025-54987

CriticalRCE

Published: 05 August 2025

Published
05 August 2025
Modified
12 August 2025
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
EPSS Score 0.0328 87.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54987 is a critical-severity OS Command Injection (CWE-78) vulnerability in Trendmicro Apex One. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability tracked as CVE-2025-54987 affects the management console of Trend Micro Apex One (on-premise). The flaw permits a remote attacker to upload malicious code and execute commands on affected systems. It is functionally identical to CVE-2025-54948 except that it targets a different CPU architecture, and it is associated with CWE-78.

The issue can be exploited by an unauthenticated remote attacker over the network without user interaction. Successful exploitation yields command execution with impacts rated high for confidentiality and availability and low for integrity under CVSS 9.4.

The EPSS score has remained flat at 0.0328 with no material increase since disclosure, and no public references describe active exploitation or patches. A Trend Micro advisory is available at the listed URL for organizations seeking official guidance.

EU & UK References

Vulnerability details

A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS command injection in public-facing management console directly enables remote exploitation for initial access (T1190) and arbitrary command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-54948Same product: Trendmicro Apex One
CVE-2026-34930Same product: Trendmicro Apex One
CVE-2025-71216Same product: Trendmicro Apex One
CVE-2025-71217Same product: Trendmicro Apex One
CVE-2026-45207Same product: Trendmicro Apex One
CVE-2024-58104Same product: Trendmicro Apex One
CVE-2026-34928Same product: Trendmicro Apex One
CVE-2025-71211Same product: Trendmicro Apex One
CVE-2025-71212Same product: Trendmicro Apex One
CVE-2026-34929Same product: Trendmicro Apex One

Affected Assets

trendmicro
apex one
2019

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the OS command injection vulnerability through timely application of vendor patches for the Trend Micro Apex One management console.

prevent

Validates and sanitizes inputs to the management console to block malicious payloads that enable command injection and arbitrary code execution.

prevent

Scans uploaded content at system boundaries and internally to detect and block malicious code before it can be executed on the server.

References