Critical Unauthenticated RCE Vulnerability in Trend Micro Apex Central (CVE-2025-69258)
A critical remote code execution vulnerability, tracked as CVE-2025-69258, was discovered in Trend Micro Apex Central (on-premise), allowing unauthenticated attackers to load a malicious DLL into the MsgReceiver.exe process and execute code with SYSTEM privileges. The flaw, along with two related vulnerabilities (CVE-2025-69259 and CVE-2025-69260), was privately reported by Tenable researchers and affects all previous releases of Apex Central prior to Critical Patch Build 7190. Exploitation requires only network access to the vulnerable system, and technical details as well as proof-of-concept exploits have been publicly released.
Trend Micro has issued a critical patch to address these vulnerabilities and strongly urges customers to update to the latest build immediately. The company also recommends reviewing remote access policies and perimeter security to mitigate potential exploitation. The vulnerabilities can be triggered by sending specially crafted messages to the MsgReceiver.exe process, which listens on TCP port 20001, with CVE-2025-69258 enabling code execution and the others causing denial of service. No affected product versions were explicitly listed in the CVE database at the time of disclosure, but all prior releases are considered vulnerable.
Timeline
Jan 9, 2026
No in-the-wild exploitation confirmed as of January 9
As of 2026-01-09, reporting from Trend Micro and other coverage indicated there was no confirmed evidence that CVE-2025-69258 had been exploited in the wild. Despite that, public PoC availability increased the risk to internet-facing Apex Central servers.
Jan 8, 2026
CVE-2025-69258 is publicly published with critical severity
On 2026-01-08, CVE-2025-69258 was publicly published as a critical Trend Micro Apex Central remote code execution vulnerability with a CVSS score of 9.8. Advisories emphasized that the flaw is network-exploitable without authentication or user interaction and urged customers to apply Trend Micro's updates.
Jan 7, 2026
Tenable discloses technical details and PoC exploits for CVE-2025-69258
On 2026-01-07, Tenable publicly disclosed the Apex Central vulnerabilities it had privately reported, including technical details and proof-of-concept exploits. The disclosure showed that specially crafted messages to MsgReceiver.exe on TCP port 20001 could let unauthenticated attackers load a malicious DLL and execute code as SYSTEM.
Jan 7, 2026
Trend Micro releases Build 7190 to patch Apex Central flaws
On 2026-01-07, Trend Micro released Build 7190 for on-premises Apex Central to fix three remotely exploitable vulnerabilities affecting earlier versions. The most severe, CVE-2025-69258, allows unauthenticated remote code execution as SYSTEM; CVE-2025-69259 and CVE-2025-69260 can cause denial of service.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Authenticated SQL Injection Flaws in Trend Micro Apex Central Enable RCE
Trend Micro Apex Central 2019 **Build 6016 and earlier** contains two high-severity authenticated SQL injection vulnerabilities, **`CVE-2023-32529`** and **`CVE-2023-32530`**, that can be escalated to remote code execution. The flaws affect the `modTMMS` certificate-handling workflow, where user-controlled X.509 certificate fields are incorporated into SQLite queries without proper validation, including the `AddCert()` and `DeleteCertById()` paths. Researchers said even low-privilege authenticated users can exploit the bugs by uploading crafted certificate data through `proxy_controller.php`, using `module=modTMMS` and `tmms_cmd=set_certificates_config` to reach the vulnerable functionality. Because Apex Central uses SQLite on the backend, attackers can abuse the injection to write a malicious PHP file into the webroot and execute system commands as the **`IUSR`** account. Both issues carry a **CVSS v3.1 score of 8.8** and were patched by Trend Micro on **December 19, 2022**, before public disclosure by STAR Labs and ZDI. Defenders are advised to update Apex Central to the latest available version and inspect the widget repository directory for suspicious PHP files that could indicate compromise.
3 weeks ago
Critical RCE Vulnerabilities in Trend Micro Apex One Management Console
**Trend Micro patched two critical remote code execution vulnerabilities in *Apex One* affecting Windows environments**, both caused by **path traversal weaknesses in the Apex One management console**: `CVE-2025-71210` and `CVE-2025-71211`. Trend Micro stated exploitation requires an attacker to have access to the management console, and warned organizations with consoles exposed to the internet to apply mitigations such as source/IP restrictions and to update to the latest builds; the fixes include updates for SaaS deployments and **Critical Patch Build 14136** for affected on-prem installations. Canada’s Centre for Cyber Security issued advisory **AV26-168** urging administrators to apply Trend Micro’s updates for **Apex One (on-premise)**, **Apex One as a Service (SaaS)**, and **Trend Vision One Endpoint / Standard Endpoint Protection (SaaS)**. Neither advisory indicated confirmed exploitation in the wild for these specific CVEs at the time of publication, but the vendor and reporting highlighted that **Apex One vulnerabilities have been actively exploited in prior campaigns**, reinforcing the need for rapid patching and exposure reduction of management interfaces.
1 months ago
Unauthenticated RCE Chain in Trend Micro Mobile Security Enterprise
Trend Micro Mobile Security (Enterprise) 9.8 SP5 through Critical Patch 3 contains two critical flaws, `CVE-2023-32523` and `CVE-2023-32524`, that allow unauthenticated attackers to achieve pre-authenticated remote code execution by chaining an authentication bypass with unrestricted file upload and local file inclusion weaknesses. In both cases, the application trusts a user-controlled `session_info` cookie at the `/widget` endpoint, automatically creates missing `WFUser` accounts with blank passwords, and binds them to a valid PHP session, giving attackers authenticated access without valid credentials. Attackers can then upload an arbitrary PHP file such as `PoolManager.php` into `C:\Windows\Temp` through `proxy_controller.php` and execute it via path traversal or unsanitized `require_once` input in `widget_package_manager.php` or `widgetforsecurity_package_manager.php`. The bugs are rated `CVSS 9.8`, require no authentication or user interaction, and could enable arbitrary code execution on the appliance and follow-on lateral movement. Trend Micro issued fixes on April 18, 2023, and defenders were advised to inspect `C:\Windows\Temp` for unexpected PHP files and review logs for suspicious requests hitting the vulnerable endpoints in close succession.
2 weeks ago