OS Command Injection Vulnerability Discovered in Trend Micro Apex One
OS Command Injection Vulnerability Discovered in Trend Micro Apex One
OS Command Injection Vulnerability Discovered in Trend Micro Apex One
Information:
Trend Micro Apex One is an Endpoint Protection platform that supports both SaaS and On-Premises deployments, managed through a centralized console. It provides multi-layered cybersecurity protection, including antivirus, behavioral monitoring, application control, data loss prevention (DLP), and firewall capabilities. Leveraging machine learning combined with the Smart Protection Network, Apex One accurately detects advanced threats and zero-day attacks. Additionally, it features extended detection and response (XDR) capabilities that enable scanning, analysis, and investigation of incidents from a single console, enhancing the speed and efficiency of threat response.
Incident:
Found critical security vulnerabilities CVE-2025-54948 and CVE-2025-54987 with a CVSS v3.1 score of 9.4 in the Trend Micro Apex One (on-premise) Management Console. These vulnerabilities stem from improper input validation, allowing OS command injection in the console that centrally manages and controls all endpoints within an organization.
An attacker can craft specially designed input to inject operating system commands into parameters sent to the Management Console without requiring authentication (pre-authenticated attack). The critical concern is that the Apex One Management Console operates with high-level privileges on the server, enabling it to install and manage agents on client machines, perform system updates, and execute scripts and commands on various endpoints. This makes the vulnerability extremely dangerous if successfully exploited.
An attacker could gain full control over the Management Console server, install backdoors for future access, steal user credentials and other sensitive information, spread malware or ransomware to all endpoints within the network, and use the server as a strategic pivot point to launch further attacks across the organization.
The severity of this incident is significantly heightened by Trend Micro’s confirmation that these vulnerabilities have been actively exploited in the wild prior to the official public disclosure.
Recommendation:
- For the Trend Micro Apex One (on-premises) product, apply the emergency update using FixTool_Aug2025 immediately.
- Avoid exposing the Management Console port directly to the internet; use firewalls or ACLs to restrict access only to necessary internal networks.
- Monitor and apply the upcoming critical patch scheduled for mid-August 2025, which will provide a complete fix for the vulnerabilities.
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)
References :
- https://success.trendmicro.com/en-US/solution/KA-0020652
- https://success.trendmicro.com/en-US/solution/KA-0009994
- https://app.opencve.io/cve/CVE-2025-54948
- https://app.opencve.io/cve/CVE-2025-54987
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2025-54597 |
27/07/2025 |
29/07/2025 |
Heimdall versions prior to 2.7.3 |
Cross-Site Scripting |
7.2 |
An attacker can inject malicious JavaScript code into the value of the q parameter, causing it to execute in the user's browser. This could lead to data theft or unauthorized control over certain system functions. |
Update Heimdall to version 2.7.3 or later. |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49699 |
| 2 |
CVE-2025-54569 |
28/07/2025 |
29/07/2026 |
Malwarebytes Binisoft Windows Firewall Control versions before 6.16.0.0 |
Local Privilege Escalation |
4.5 |
An attacker with low-level privileges on the machine can exploit this vulnerability during the program installation process to elevate their privileges to Administrator. This could allow them to take control of the system or perform actions that would normally be restricted. |
Update to version 6.16.0.0 or later. |
|
| 3 |
CVE-2025-54576 |
30/07/2025 |
31/07/2027 |
OAuth2-Proxy in version 7.10.0 and below |
Authentication Bypass |
9.1 |
An attacker can bypass the authentication process by crafting a URL with query parameters that match the regex patterns defined in skip_auth_routes, allowing unauthorized access to resources that should be protected. |
Update to version 7.11.0. |
https://www.cvedetails.com/cve/CVE-2025-54576/
|
| 4 |
CVE-2025-36594 |
04/08/2025 |
04/08/2025 |
Dell PowerProtect Data Domain running (DD OS) versions: |
Authentication Bypass |
9.8 |
An unauthenticated remote attacker can exploit this vulnerability to bypass the system’s protection mechanisms and potentially create a new user account. |
Update to the following versions: |
|
| 5 |
CVE-2025-54782 |
02/08/2025 |
04/08/2025 |
Nest versions 0.2.0 and below |
Remote Code Execution |
9.4 |
This package adds HTTP endpoints to the NestJS development server. |
Update to version 0.2.1. |
https://www.cvedetails.com/cve/CVE-2025-54782/ |
Malware News or Campaign IOC/IOA | EN
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
ToolShell |
28/07/2025 |
Ransomware |
A new vulnerability known as ToolShell has been actively exploited against on-premises Microsoft SharePoint servers worldwide. Attackers can execute remote code without login, steal cryptographic keys, create web shells, and bypass MFA. |
|
Ref:https://thehackernews.com/2025/07/critical-microsoft-sharepoint-flaw.html
22 August 2025
Viewed 189 time
