JVNVU#92409854
Trend Micro Endpoint security products for enterprises vulnerable to multiple OS command injection
Critical
Overview
Trend Micro Endpoint security products for enterprises contain multiple OS command injection vulnerabilities.
Products Affected
- Trend Micro Apex One On Premise (2019)
- Trend Micro Apex One as a Service
- Trend Vision One Endpoint Security - Standard Endpoint Protection
Description
Trend Micro Endpoint security products for enterprises contain the following vulnerabilities.
- OS command injection vulnerability in the management console (CWE-78)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N Base Score 8.8
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H Base Score 9.4
- CVE-2025-54948, CVE-2025-54987
Impact
An unauthenticated attacker may exploit this vulnerability to execute arbitrary code.
Solution
For Trend Micro Apex One On Premise (2019):
Apply Fixtool
Apply Fixtool according to the information provided by the developer.
In addition, the developer is planning to release a Critical Patch as permanent measures in mid-August 2025.
For Trend Micro Apex One as a Service and Trend Vision One Endpoint Security - Standard Endpoint Protection:
The vulnerabilities have already been fixed in the July 31, 2025 updates.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Other Information
| JPCERT Alert |
JPCERT-AT-2025-0016 Alert Regarding Multiple OS Command Injection Vulnerabilities in Trend Micro Multiple Endpoint Security Products for Enterprises |
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
|
| JVN iPedia |
|
Update History
- 2025/08/06
- Information under the section [Other Information] was updated