[Japanese]

JVNDB-2025-010854

Trend Micro Endpoint security products for enterprises vulnerable to multiple OS command injection

Overview

Trend Micro Endpoint security products for enterprises contain the following vulnerabilities.
  • OS command injection vulnerability in the management console (CWE-78) - CVE-2025-54948, CVE-2025-54987

Trend Micro Incorporated has reported that attacks exploiting CVE-2025-54948 have been observed in the wild.

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.4 (Critical) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: High
Affected Products


Trend Micro, Inc.
  • Trend Micro Apex One On Premise (2019)
  • Trend Micro Apex One as a Service
  • Trend Vision One Endpoint Security - Standard Endpoint Protection

Impact

An unauthenticated attacker may exploit this vulnerability to execute arbitrary code.
Solution

For Trend Micro Apex One On Premise (2019):
[Apply Fixtool]
Apply Fixtool according to the information provided by the developer.
In addition, the developer is planning to release a Critical Patch as permanent measures in mid-August 2025.

For Trend Micro Apex One as a Service and Trend Vision One Endpoint Security - Standard Endpoint Protection:
The vulnerabilities have already been fixed in the July 31, 2025 updates.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [Other]
CVE (What is CVE?)

  1. CVE-2025-54948
  2. CVE-2025-54987
References

  1. JVN : JVNVU#92409854
  2. JPCERT Alert : JPCERT-AT-2025-0016
Revision History

  • [2025/08/07]
      Web page was published