What is the CVSS score of CVE-2025-47867?

CVE-2025-47867 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.7%.

Which versions of PHP are affected by CVE-2025-47867?

Trend Micro Apex Central versions below 8.0.6955 contain a local file inclusion vulnerability that allows authenticated users to execute arbitrary code on the management server, potentially…. A patch is available.

How to fix or mitigate CVE-2025-47867?

Within 24 hours: Identify all Apex Central deployments and current versions via asset inventory; verify whether any instances run versions below 8.0.6955. Within 7 days: Apply vendor patch to upgrade all affected instances to version 8.0.6955 or later; test in non-production environment first. Within 30 days: Conduct access review of Apex Central administrative and user accounts to restrict low-level authentication where feasible; enable audit logging for file operations and PHP execution on Apex Central servers.

PHP CVE-2025-47867

EUVD-2025-18517 HIGH

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-06-17 security@trendmicro.com

PHP RCE Trend Micro LFI Apex Central

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:37 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

8.0.6955

EUVD ID Assigned

Mar 14, 2026 - 22:15 euvd

EUVD-2025-18517

Analysis Generated

Mar 14, 2026 - 22:15 vuln.today

CVE Published

Jun 17, 2025 - 18:15 nvd

HIGH 7.5

DescriptionCVE.org

A Local File Inclusion vulnerability in a Trend Micro Apex Central widget in versions below 8.0.6955 could allow an attacker to include arbitrary files to execute as PHP code and lead to remote code execution on affected installations.

AnalysisAI

Local File Inclusion (LFI) vulnerability in Trend Micro Apex Central widgets (versions below 8.0.6955) that allows authenticated attackers to include and execute arbitrary PHP files, achieving remote code execution on affected systems. The vulnerability requires low-level user authentication and moderate attack complexity but carries high impact across confidentiality, integrity, and availability. Active exploitation status and proof-of-concept availability have not been confirmed from the provided data, but the authentication requirement and network accessibility make this a credible threat to deployed Apex Central instances.

Technical ContextAI

This vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which manifests as a Local File Inclusion flaw in Trend Micro Apex Central's widget processing logic. The widget component fails to properly validate or sanitize user-supplied file path inputs before including them via PHP's file inclusion mechanisms (likely include(), require(), or similar functions). An attacker with valid credentials can craft malicious requests to the widget to traverse the filesystem and include arbitrary files, which are then processed as PHP code within the application context. The vulnerability affects Apex Central versions prior to 8.0.6955, indicating the fix was incorporated in the patch release. CPE identification would be: cpe:2.3:a:trendmicro:apex_central:*:*:*:*:*:*:*:* (versions <8.0.6955).

RemediationAI

Immediate patch: Update Trend Micro Apex Central to version 8.0.6955 or later. 2) Interim mitigations (if patching is delayed): Restrict network access to Apex Central administrative interfaces using firewall rules; limit widget functionality access to trusted internal networks only; enforce strong authentication and monitor for unusual widget access patterns. 3) Post-remediation: Verify patch installation across all Apex Central instances; audit logs for evidence of exploitation attempts (look for unusual file inclusion requests in widget components); review user access logs for suspicious authenticated activity. 4) Vendor reference: Contact Trend Micro support or review the official Apex Central security advisory for patch download links and detailed deployment guidance specific to your environment.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-47867 vulnerability details – vuln.today

Back

PHP CVE-2025-47867

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code