Trend Micro on Aug. 5 released a mitigation tool to protect organizations from a recently discovered critical command injection weakness in its on-premise Apex One Management Console, a tool security teams use to detect and respond to malicious threats.Security teams were advised by Trend Micro to apply the tool because it has seen at least one instance of the flaw exploited in the wild.Trend Micro said it intends to issue a patch by mid-August for the two 9.4 flaws: CVE-2025-54948 and CVE-2025-54987.Both flaws had a command injection weakness that lets attackers insert and execute malicious commands directly on a vulnerable system, essentially tricking the application into running arbitrary code at the same privilege level as the underlying process.“In this case, because the flaw is pre‑authentication, attackers don’t even need valid credentials,” explained Heath Renfrow, chief information security officer at Fenix24. “They can remotely compromise unpatched Apex One Management Consoles with minimal effort.”Renfrow added that while applying the patch as soon as it’s released is critical, security teams shouldn’t wait. In the nearterm, organizations should do the following:
- Apply Trend Micro’s mitigation tool despite the loss of remote agent installation, since the risk of compromise far outweighs the temporary operational inconvenience.
- Limit network exposure of the Apex One Management Console by restricting access to only trusted admin networks or through a VPN, and block internet-facing connections.
- Monitor for signs of exploitation, including unusual process executions, privilege escalations, or outbound connections from the console host.
- Hunt for indicators of compromise (IoCs) in system logs and EDR telemetry to catch early stage activity if exploitation has already occurred.
- Prepare rapid restoration paths for affected endpoints, including validated backups, in case the flaw is leveraged for ransomware or destructive attacks.
