Critical RCE Vulnerabilities in Trend Micro Apex One Management Console
Trend Micro patched two critical remote code execution vulnerabilities in Apex One affecting Windows environments, both caused by path traversal weaknesses in the Apex One management console: CVE-2025-71210 and CVE-2025-71211. Trend Micro stated exploitation requires an attacker to have access to the management console, and warned organizations with consoles exposed to the internet to apply mitigations such as source/IP restrictions and to update to the latest builds; the fixes include updates for SaaS deployments and Critical Patch Build 14136 for affected on-prem installations.
Canada’s Centre for Cyber Security issued advisory AV26-168 urging administrators to apply Trend Micro’s updates for Apex One (on-premise), Apex One as a Service (SaaS), and Trend Vision One Endpoint / Standard Endpoint Protection (SaaS). Neither advisory indicated confirmed exploitation in the wild for these specific CVEs at the time of publication, but the vendor and reporting highlighted that Apex One vulnerabilities have been actively exploited in prior campaigns, reinforcing the need for rapid patching and exposure reduction of management interfaces.
Timeline
Feb 25, 2026
Canadian Centre for Cyber Security issues notice urging updates
On February 25, 2026, the Canadian Centre for Cyber Security published notice AV26-168 highlighting Trend Micro's advisory and urging users and administrators to review the guidance and apply necessary updates. The notice identified affected products including Apex One on-premises, Apex One as a Service, and Trend Vision One Endpoint.
Feb 24, 2026
Trend Micro publishes February 2026 Apex One security advisory
On February 24, 2026, Trend Micro published a security advisory for Apex One and related products covering two critical directory traversal vulnerabilities in the management console that could lead to remote code execution, along with additional high-severity flaws. The advisory said SaaS versions had already been mitigated and released Critical Patch Build 14136 for affected on-premises systems.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Critical Unauthenticated RCE Vulnerability in Trend Micro Apex Central (CVE-2025-69258)
A critical remote code execution vulnerability, tracked as CVE-2025-69258, was discovered in Trend Micro Apex Central (on-premise), allowing unauthenticated attackers to load a malicious DLL into the `MsgReceiver.exe` process and execute code with SYSTEM privileges. The flaw, along with two related vulnerabilities (CVE-2025-69259 and CVE-2025-69260), was privately reported by Tenable researchers and affects all previous releases of Apex Central prior to Critical Patch Build 7190. Exploitation requires only network access to the vulnerable system, and technical details as well as proof-of-concept exploits have been publicly released. Trend Micro has issued a critical patch to address these vulnerabilities and strongly urges customers to update to the latest build immediately. The company also recommends reviewing remote access policies and perimeter security to mitigate potential exploitation. The vulnerabilities can be triggered by sending specially crafted messages to the `MsgReceiver.exe` process, which listens on TCP port 20001, with CVE-2025-69258 enabling code execution and the others causing denial of service. No affected product versions were explicitly listed in the CVE database at the time of disclosure, but all prior releases are considered vulnerable.
1 months ago
Authenticated SQL Injection Flaws in Trend Micro Apex Central Enable RCE
Trend Micro Apex Central 2019 **Build 6016 and earlier** contains two high-severity authenticated SQL injection vulnerabilities, **`CVE-2023-32529`** and **`CVE-2023-32530`**, that can be escalated to remote code execution. The flaws affect the `modTMMS` certificate-handling workflow, where user-controlled X.509 certificate fields are incorporated into SQLite queries without proper validation, including the `AddCert()` and `DeleteCertById()` paths. Researchers said even low-privilege authenticated users can exploit the bugs by uploading crafted certificate data through `proxy_controller.php`, using `module=modTMMS` and `tmms_cmd=set_certificates_config` to reach the vulnerable functionality. Because Apex Central uses SQLite on the backend, attackers can abuse the injection to write a malicious PHP file into the webroot and execute system commands as the **`IUSR`** account. Both issues carry a **CVSS v3.1 score of 8.8** and were patched by Trend Micro on **December 19, 2022**, before public disclosure by STAR Labs and ZDI. Defenders are advised to update Apex Central to the latest available version and inspect the widget repository directory for suspicious PHP files that could indicate compromise.
3 weeks ago
Unauthenticated RCE Chain in Trend Micro Mobile Security Enterprise
Trend Micro Mobile Security (Enterprise) 9.8 SP5 through Critical Patch 3 contains two critical flaws, `CVE-2023-32523` and `CVE-2023-32524`, that allow unauthenticated attackers to achieve pre-authenticated remote code execution by chaining an authentication bypass with unrestricted file upload and local file inclusion weaknesses. In both cases, the application trusts a user-controlled `session_info` cookie at the `/widget` endpoint, automatically creates missing `WFUser` accounts with blank passwords, and binds them to a valid PHP session, giving attackers authenticated access without valid credentials. Attackers can then upload an arbitrary PHP file such as `PoolManager.php` into `C:\Windows\Temp` through `proxy_controller.php` and execute it via path traversal or unsanitized `require_once` input in `widget_package_manager.php` or `widgetforsecurity_package_manager.php`. The bugs are rated `CVSS 9.8`, require no authentication or user interaction, and could enable arbitrary code execution on the appliance and follow-on lateral movement. Trend Micro issued fixes on April 18, 2023, and defenders were advised to inspect `C:\Windows\Temp` for unexpected PHP files and review logs for suspicious requests hitting the vulnerable endpoints in close succession.
2 weeks ago