|
[Japanese]
|
JVNDB-2025-010854
|
Trend Micro Endpoint security products for enterprises vulnerable to multiple OS command injection
|
|
Trend Micro Endpoint security products for enterprises contain the following vulnerabilities.
- OS command injection vulnerability in the management console (CWE-78) - CVE-2025-54948, CVE-2025-54987
Trend Micro Incorporated has reported that attacks exploiting CVE-2025-54948 have been observed in the wild.
Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
|
|
CVSS V3 Severity:
Base Metrics 9.4 (Critical) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: High
|
|
|
Trend Micro, Inc.
- Trend Micro Apex One On Premise (2019)
- Trend Micro Apex One as a Service
- Trend Vision One Endpoint Security - Standard Endpoint Protection
|
|
|
An unauthenticated attacker may exploit this vulnerability to execute arbitrary code.
|
|
For Trend Micro Apex One On Premise (2019):
[Apply Fixtool]
Apply Fixtool according to the information provided by the developer.
In addition, the developer is planning to release a Critical Patch as permanent measures in mid-August 2025.
For Trend Micro Apex One as a Service and Trend Vision One Endpoint Security - Standard Endpoint Protection:
The vulnerabilities have already been fixed in the July 31, 2025 updates.
|
|
Trend Micro, Inc.
|
|
- OS Command Injection(CWE-78) [Other]
|
|
- CVE-2025-54948
- CVE-2025-54987
|
|
- JVN : JVNVU#92409854
- JPCERT Alert : JPCERT-AT-2025-0016
|
|
- [2025/08/07]
Web page was published
|
