๐Ÿ”ด CVE-2025-54948

CVE-2025-54948 is a critical OS command injection vulnerability in Trend Micro Apex One on-premise management console that allows pre-authenticated remote attackers to upload malicious code and execute arbitrary commands. CISA has added this vulnerability to the KEV catalog due to active exploitation in the wild.

โ† Back to Overview
HIGH_RISK
Risk Level
9.4
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 โ€” Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

๐Ÿ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-08-05

Added to CISA KEV: 2025-08-18 13 DAYS BETWEEN CVE AND KEV

๐ŸŽฏ Recommendations:

๐Ÿ” Web Intelligence (Kagi ยท 2025-09-06)

CVE-2025-54948 is a critical vulnerability affecting Trend Micro Apex One (on-premise) management console [1][2]. Here's what is known about its exploitation:

  • Affected Applications/Services: The vulnerability affects the on-premise management console of Trend Micro Apex One [1][2]. This component is likely to be internet-facing in many deployments.
  • Active Exploitation: There is evidence of active exploitation in the wild [3][4].
  • Attack Vectors/Exploitation Methods:
* It is a command injection vulnerability [5]. * It allows a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations [1][6]. * The attack complexity is low, and no privileges are required, making it an easy target [7]. * Unauthenticated remote threat actors can execute arbitrary code on vulnerable systems [5].
  • Targeted Attacks: While not explicitly stated as "targeted attacks," the active exploitation in the wild suggests it is being used in real-world attacks [3][4].
  • CISA KEV Status: CISA has added CVE-2025-54948 to its Known Exploited Vulnerabilities (KEV) Catalog [3][8]. This means that CISA has determined that this vulnerability is being actively exploited and poses a significant risk [3].
  • Technical Details/Internet Exploitability:
* The vulnerability has a CVSS score of 9.4, indicating its severity [9][10]. * It is an OS command injection vulnerability in the Trend Micro Apex One on-premise management console [8][11]. * The vulnerability allows unauthenticated remote attackers to upload malicious code and execute arbitrary commands [10]. * The vulnerability is essentially the same as CVE-2025-54987 but targets different CPU architectures [12][13].

Sources

  1. ITW CRITICAL SECURITY BULLETIN: Trend Micro Apex One (On-Premise ...

    This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture. Mitigating Factors. Exploiting these type of ...

  2. CVE-2025-54948 | Tenableยฎ

    A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code ...

  3. CISA Adds One Known Exploited Vulnerability to Catalog

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  4. CISA Warns of Trend Micro Apex One OS Command Injection Vulnerability ...

    The vulnerability, tracked as CVE-2025-54948 and classified under CWE-78, poses significant risks to organizations running on-premise installations of the enterprise security platform. Key Takeaways 1. CISA confirms CVE-2025-54948 attacks on Trend Micro Apex One.

  5. CVE-2025-54948 & CVE-2025-54987 | Arctic Wolf

    Both stem from a command injection issue that allows unauthenticated, remote threat actors to execute arbitrary code on vulnerable systems.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

๐Ÿ“„ Download JSON Data | ๐Ÿ“ก RSS Feed