The name sounds like a line of defense. The reality is more unpleasant. Security researchers have discovered several vulnerabilities in Trend Micro Apex One, some of which are critical, that enable precisely what endpoint security is supposed to prevent: code execution and privilege escalation. For companies with on-premises installations, this is not a theoretical problem, but an urgent call to action. Failure to patch could open the door to attackers at the management level.
Critical RCE through directory traversal
At the center of this are two vulnerabilities in the Apex One management console on Windows:
CVE-2025-71210 and CVE-2025-71211, both with a CVSS score of 9.8, i.e., “critical.” Technically, these are directory traversal vulnerabilities in two executable files. An attacker can use manipulated path specifications to place or access files outside the intended directories. The result is remote code execution. Important: According to the manufacturer, this requires access to the management console. This is not a free pass to sound the all-clear. In practice, management interfaces are often unnecessarily exposed – either directly on the internet or internally with overly generous ACLs. Anyone who has configured their system carelessly is providing a target for attack.
The recommendation is clear: do not make the console publicly accessible, strictly restrict access in the LAN, and install the update immediately.
Rights expansion via scan engine and origin error
In addition to the RCE vulnerabilities, there are other high-risk vulnerabilities:
- CVE-2025-71212 (CVSS 7.8)
Error when following links within the scan engine, which allows privilege escalation. - CVE-2025-71213 (CVSS 7.8)
An incorrect origin check, known as an origin validation error, allows attackers to gain higher privileges in the system.
Neither of these vulnerabilities is purely theoretical. In complex corporate environments, initial access with low privileges is often sufficient. If this can then be expanded to the system level, an incident can quickly turn into an infrastructure problem.
Previous attacks and patch extensions
The current updates also extend measures that Trend Micro had already used in August to close actively exploited vulnerabilities. At that time, the focus was on CVE-2025-54987 and CVE-2025-54948, among others, which were also rated CVSS 9.8. It comes as no surprise that security vulnerabilities in endpoint management systems are actively being exploited. In the worst case, compromising the protection software can bypass the entire defense chain. This is strategically more attractive than attacking individual clients.
macOS variant also affected
For Apex One on macOS, Trend Micro cites several vulnerabilities that have since been closed:
- CVE-2025-71215, CVE-2025-71216, CVE-2025-71217 (CVSS 7.8)
- CVE-2025-71214 (CVSS 7.2)
Here, too, the issue concerns potential privilege escalation. According to the manufacturer, these vulnerabilities were already closed in mid- to late 2025 via ActiveUpdate. There is no longer any urgent need for action for current installations – provided that updates have actually been installed consistently.
Who is specifically affected
Action is particularly required for:
- Apex One 2019 (on-premises)
→ Update to at least CP Build 14136.
The following are not affected or are already secured:
- Apex One as a Service
- Trend Vision One Endpoint Security with Security Agent version 14.0.20315
This demonstrates the structural advantage of SaaS models. The manufacturer controls the update cycles. On-premises customers, on the other hand, bear the operational responsibility themselves – including patch discipline.
A structural problem
This incident is not an isolated case. Management consoles for security solutions have been a preferred target for years. They bundle rights, configuration, and agent control in a single system. Anyone who compromises them gains control over the defenses. This is the paradox of modern IT security: the more centralized the protection mechanisms, the more attractive they are to abuse. A poorly secured security console is not a bulwark, but a multiplier for damage.
Clear recommendation
- Do not expose the management console
- Configure network access restrictively
- Check patch status
- Install CP Build 14136 or higher
- Verify agent versions
Anyone who puts this off is acting negligently. CVSS 9.8 is not about cosmetic fixes, but about potentially complete system takeover. Endpoint security is not a static product, but an ongoing process. And this process begins with a simple, often underestimated step: actually installing updates.
| Source | Key message | Link |
|---|---|---|
| Trend Micro | Describes vulnerabilities CVE-2025-71210 and CVE-2025-71211 as directory traversal with remote code execution in the Apex One Management Console. | https://success.trendmicro.com/en-US/solution/KA-0022458 |
| Trend Micro | Confirms the availability of Apex One Service Pack 1 Critical Patch Build 14136 as an update to be applied. | https://success.trendmicro.com/en-US/solution/KA-0021747 |
| Trend Micro | Documents the previously exploited vulnerabilities CVE-2025-54948 and CVE-2025-54987 in the Apex One On-Premise Management Console. | https://success.trendmicro.com/en-us/solution/KA-0020652 |
