EUVD-2025-18554
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3Description
A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (SaaS) could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations. Please note: this vulnerability only affects the SaaS instance of Apex Central - customers that automatically apply Trend Micro's monthly maintenance releases to the SaaS instance do not have to take any further action.
Analysis
Server-Side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central SaaS that allows authenticated attackers to manipulate parameters and disclose sensitive information from affected installations. The vulnerability affects only the SaaS deployment model of Apex Central; SaaS customers receiving automatic monthly maintenance updates are not impacted. While no public exploit or KEV status is indicated, the CVSS 7.1 score and information disclosure capability present moderate risk for organizations with manual SaaS deployments or on-premises installations.
Technical Context
This vulnerability exploits CWE-918 (Server-Side Request Forgery), a class of attacks where an attacker manipulates server-side HTTP requests to access internal resources, services, or metadata endpoints. In Apex Central's SaaS infrastructure, the vulnerability likely stems from insufficient input validation on parameters that control outbound HTTP requests—potentially affecting API endpoints, webhook handlers, or integration points that fetch remote resources. The SSRF allows attackers to bypass network segmentation by leveraging the server's trusted network position to probe internal IP ranges, cloud metadata services (e.g., AWS IMDSv1), or adjacent services. Because the vulnerability requires PR:L (low privilege—authenticated access), it targets internal users or compromised low-privilege accounts rather than unauthenticated threat actors.
Affected Products
Trend Micro Apex Central SaaS (all versions prior to the automatic monthly maintenance patch cycle). The vulnerability does NOT affect on-premises deployments explicitly mentioned as patched. Specific CPE information is not provided in the public disclosure, but the affected scope is: 'Trend Micro Apex Central' with deployment model 'SaaS' prior to automatic security updates. Customers should verify their deployment mode (SaaS vs. on-premises) and patch status via Trend Micro's management console. Vendor advisory and patch details should be obtained from Trend Micro's official security bulletins and the Apex Central SaaS console notifications.
Remediation
Primary remediation: Verify that your Trend Micro Apex Central SaaS instance is configured to receive automatic monthly maintenance releases (default setting). Trend Micro states that customers with automatic updates are not required to take further action. For manual SaaS deployments: Apply the latest monthly maintenance release immediately by: (1) accessing the Apex Central SaaS management portal, (2) navigating to Settings > System Updates, (3) enabling automatic monthly patch application or manually triggering the latest available patch. For on-premises Apex Central deployments (if affected): Consult Trend Micro's official security advisory for the specific patched version number and apply the corresponding update. Interim mitigations include: (1) restrict network access to Apex Central administrative interfaces via IP whitelisting or VPN, (2) audit and minimize the number of low-privilege users with access to parameter-manipulation functionality, (3) monitor outbound HTTP/HTTPS traffic from Apex Central servers for suspicious destinations (internal IPs, metadata endpoints, unexpected external hosts). Reference official Trend Micro security advisories and product bulletins for exact version numbers and patch download links.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today