Critical Remote Code Execution in TrendAI Apex One Console (CVE‑2025‑54987) Threatens Enterprise Endpoint Management
What It Is – A newly disclosed zero‑day (ZDI‑26‑270) in Trend Micro’s Apex One management console permits unauthenticated attackers to traverse directories and execute arbitrary code on the server. The flaw stems from insufficient validation of a user‑supplied file path used in file‑system operations.
Exploitability – The vulnerability is rated CVSS 9.8 (Critical) with network‑only access, no authentication, and no user interaction required. Proof‑of‑concept code has been released publicly via the Zero Day Initiative advisory; no known active ransomware or data‑exfiltration campaigns have been linked yet, but the exploit is trivial to weaponize.
Affected Products – TrendAI (Trend Micro) Apex One endpoint‑security platform, specifically the console services listening on TCP 8080 and 4343.
TPRM Impact –
- Any third‑party that relies on Apex One for endpoint protection inherits a direct remote‑code execution risk, potentially compromising the entire corporate network.
- Supply‑chain exposure: compromised Apex One agents can be used to pivot into downstream customers, amplifying risk across multiple industries.
Recommended Actions –
- Apply Trend Micro’s emergency patch (KB KA‑0022458) immediately on all Apex One consoles.
- Isolate the console ports (8080/4343) behind a firewall or restrict to trusted management subnets.
- Conduct full endpoint scans to detect any post‑compromise artifacts.
- Review third‑party risk registers and flag Apex One as a high‑severity vendor until remediation is verified.
- Update incident‑response playbooks to include this RCE vector for future tabletop exercises.