Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is similar in scope to CVE-2025-71210 but affects a different executable.
Please note: although this vulnerability carries a technical critical CVSS rating, this was reported via responsible disclosure via a researcher through the Zero Day Initiative. The SaaS versions of the product have already been mitigated and no customer action required.
For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console�s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied.
AnalysisAI
Remote code execution in the Trend Micro Apex One management console allows attackers with console access to upload malicious files via a path traversal flaw (CWE-22) and execute arbitrary commands on the server. The on-premises product (versions before 14.0.0.14136) is affected, while SaaS deployments have already been remediated by the vendor. No public exploit identified at time of analysis; the issue was responsibly disclosed through the Zero Day Initiative (ZDI-26-137).
Technical ContextAI
Trend Micro Apex One is an endpoint protection platform; its on-premises management console is a web-based administrative interface used to centrally configure and deploy security policies to managed endpoints. The underlying weakness is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal), which here permits an attacker to escape the intended upload directory and write attacker-controlled files to executable locations on the host. The vulnerability is sibling to CVE-2025-71210, differing only in the specific console executable handling the upload, indicating a class of input-validation defects in the console's file-handling components. Affected CPEs cover both trendai_apex_one and trendai_apex_one_as_a_service, though the SaaS variant has been patched server-side.
RemediationAI
Vendor-released patch: upgrade on-premises Apex One 2019 (14.0) to build 14.0.0.14136 or later as described in Trend Micro solution KA-0022458 (https://success.trendmicro.com/en-US/solution/KA-0022458); Apex One as a Service has already been updated to 14.0.20315 and requires no customer action. Until the on-premises patch can be applied, restrict the management console's exposure: place the console behind a VPN or jump host, apply source-IP allowlists at the firewall or reverse proxy to limit access to known administrator networks, and remove any direct internet exposure of the console interface. These network restrictions may impact remote administration workflows and any agent-to-server flows that share the same listener, so validate that endpoint check-in still functions after applying ACLs. Additional context is available in the ZDI advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-137/.
More in Trend Micro
View allOn the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows
A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitr
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330
An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. Rated high severity (C
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS. Rated medium severity (CV
SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attac
The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url para
An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeScan 11.0 and XG may allow remote unauthenticated u
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authent
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209911
GHSA-qvww-2vwg-9rp6