Skip to main content

Trend Micro Apex One CVE-2025-71211

| EUVDEUVD-2025-209911 CRITICAL
Path Traversal (CWE-22)
2026-05-21 trendmicro GHSA-qvww-2vwg-9rp6
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 21, 2026 - 14:15 vuln.today
Patch available
May 21, 2026 - 14:02 EUVD

DescriptionCVE.org

A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is similar in scope to CVE-2025-71210 but affects a different executable.

Please note: although this vulnerability carries a technical critical CVSS rating, this was reported via responsible disclosure via a researcher through the Zero Day Initiative. The SaaS versions of the product have already been mitigated and no customer action required.

For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console�s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied.

AnalysisAI

Remote code execution in the Trend Micro Apex One management console allows attackers with console access to upload malicious files via a path traversal flaw (CWE-22) and execute arbitrary commands on the server. The on-premises product (versions before 14.0.0.14136) is affected, while SaaS deployments have already been remediated by the vendor. No public exploit identified at time of analysis; the issue was responsibly disclosed through the Zero Day Initiative (ZDI-26-137).

Technical ContextAI

Trend Micro Apex One is an endpoint protection platform; its on-premises management console is a web-based administrative interface used to centrally configure and deploy security policies to managed endpoints. The underlying weakness is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal), which here permits an attacker to escape the intended upload directory and write attacker-controlled files to executable locations on the host. The vulnerability is sibling to CVE-2025-71210, differing only in the specific console executable handling the upload, indicating a class of input-validation defects in the console's file-handling components. Affected CPEs cover both trendai_apex_one and trendai_apex_one_as_a_service, though the SaaS variant has been patched server-side.

RemediationAI

Vendor-released patch: upgrade on-premises Apex One 2019 (14.0) to build 14.0.0.14136 or later as described in Trend Micro solution KA-0022458 (https://success.trendmicro.com/en-US/solution/KA-0022458); Apex One as a Service has already been updated to 14.0.20315 and requires no customer action. Until the on-premises patch can be applied, restrict the management console's exposure: place the console behind a VPN or jump host, apply source-IP allowlists at the firewall or reverse proxy to limit access to known administrator networks, and remove any direct internet exposure of the console interface. These network restrictions may impact remote administration workflows and any agent-to-server flows that share the same listener, so validate that endpoint check-in still functions after applying ACLs. Additional context is available in the ZDI advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-137/.

CVE-2016-7552 CRITICAL POC
9.8 Apr 12

On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows

CVE-2016-7547 CRITICAL POC
9.8 Apr 12

A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in

CVE-2017-11394 CRITICAL POC
9.8 Aug 03

Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitr

CVE-2017-11391 HIGH POC
8.8 Aug 03

Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att

CVE-2017-11392 HIGH POC
8.8 Aug 03

Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att

CVE-2016-6267 HIGH POC
8.8 Jan 30

SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330

CVE-2017-6398 HIGH POC
8.8 Mar 14

An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. Rated high severity (C

CVE-2017-7896 MEDIUM POC
6.1 Apr 18

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS. Rated medium severity (CV

CVE-2017-14078 CRITICAL
9.8 Sep 22

SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attac

CVE-2016-3987 CRITICAL POC
9.8 Apr 12

The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url para

CVE-2017-14089 CRITICAL POC
9.8 Oct 06

An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeScan 11.0 and XG may allow remote unauthenticated u

CVE-2020-8606 CRITICAL POC
9.8 May 27

A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authent

Share

CVE-2025-71211 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy