CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Trend Micro Apex One Management Console 0-Day Exploited

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Trend Micro has disclosed and patched two critical vulnerabilities, CVE-2025-71210 and CVE-2025-71211, in its on-premise Apex One Management Console. These vulnerabilities allow for remote code execution (RCE) on vulnerable Windows systems. Trend Micro has released Critical Patch Build 14136 to address these vulnerabilities, which also fixes two high-severity privilege escalation flaws in the Windows agent and four more affecting the macOS agent. The vulnerabilities are due to path traversal weaknesses in the management console and require attackers to have access to it. Previously, Trend Micro disclosed two other critical vulnerabilities, CVE-2025-54948 and CVE-2025-54987, which were actively exploited in the wild. These vulnerabilities allowed for command injection and remote code execution. Trend Micro has released temporary mitigations and is urging users to apply them immediately to protect against potential attacks.

Timeline

  1. 26.02.2026 19:58 1 articles · 23h ago

    Trend Micro patches critical Apex One RCE vulnerabilities

    Trend Micro has patched two critical Apex One vulnerabilities, CVE-2025-71210 and CVE-2025-71211, which allow remote code execution (RCE) on vulnerable Windows systems. These vulnerabilities are due to path traversal weaknesses in the Trend Micro Apex One management console. Successful exploitation requires attackers to have access to the Trend Micro Apex One Management Console. Trend Micro has released Critical Patch Build 14136 to address these vulnerabilities, which also fixes two high-severity privilege escalation flaws in the Windows agent and four more affecting the macOS agent.

    Show sources
    Open in new tab
  2. 11.08.2025 14:53 2 articles · 6mo ago

    Trend Micro Apex One Management Console 0-Day Exploited

    Trend Micro has disclosed two critical vulnerabilities, CVE-2025-54948 and CVE-2025-54987, in its on-premise Apex One Management Console. These vulnerabilities are actively exploited in the wild and allow for command injection and remote code execution. Trend Micro has released temporary mitigations and is urging users to apply them immediately to protect against potential attacks. The vulnerabilities affect versions of the Apex One Management Console that are deployed on-premise.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. Threat actors have been observed exploiting CVE-2026-1731 to conduct network reconnaissance, deploy web shells, establish command-and-control (C2) channels, install backdoors and remote management tools, perform lateral movement, and exfiltrate data. The attacks have targeted financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors across the U.S., France, Germany, Australia, and Canada. The vulnerability enables attackers to inject and execute arbitrary shell commands via the affected 'thin-scc-wrapper' script through the WebSocket interface. Attackers have deployed multiple web shells, including a PHP backdoor and a bash dropper, to maintain persistent access. Malware such as VShell and Spark RAT have been deployed as part of the exploitation. Out-of-band application security testing (OAST) techniques have been used to validate successful code execution and fingerprint compromised systems. Sensitive data, including configuration files, internal system databases, and a full PostgreSQL dump, have been exfiltrated to an external server. CVE-2026-1731 and CVE-2024-12356 share a common issue with input validation within distinct execution pathways. CVE-2026-1731 could be a target for sophisticated threat actors, similar to CVE-2024-12356 which was exploited by China-nexus threat actors like Silk Typhoon. CISA has confirmed that CVE-2026-1731 has been exploited in ransomware campaigns. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13 and gave federal agencies three days to apply the patch or stop using the product. Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after the initial disclosure, and exploitation was detected on January 31, making it a zero-day vulnerability for at least a week. CISA has activated the 'Known To Be Used in Ransomware Campaigns?' indicator in the KEV catalog for CVE-2026-1731. Customers of the cloud-based application (SaaS) had the patch applied automatically on February 2. Self-hosted instance customers need to either enable automatic updates or manually install the patch. For Remote Support, the recommended version is 25.3.2. For Privileged Remote Access, the recommended version is 25.1.1 or newer. Customers still using RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.

Open in new tab

CVE-2024-37079 in VMware vCenter Exploited in the Wild

CVE-2024-37079, a critical heap overflow flaw in VMware vCenter Server, is being actively exploited in the wild. The vulnerability, patched in June 2024, allows remote code execution via a specially crafted network packet. Broadcom confirmed the active exploitation and advised customers to apply security patches immediately. CISA added the flaw to its KEV catalog, mandating FCEB agencies to secure their systems by February 13, 2026, under BOD 22-01. There are no known workarounds or mitigations, emphasizing the urgency of applying the latest patches.

Open in new tab

Cisco Unified Communications RCE Zero-Day Exploited in Attacks

Cisco has patched a critical remote code execution vulnerability (CVE-2026-20045) in its Unified Communications and Webex Calling products, which has been actively exploited in attacks. The flaw, with a CVSS score of 8.2, allows attackers to gain user-level access and escalate privileges to root on affected systems. Cisco has released patches for various versions of the impacted products and urged customers to update immediately. The U.S. CISA has added the vulnerability to its KEV Catalog, requiring federal agencies to patch by February 11, 2026.

Open in new tab

Critical RCE Flaw in Trend Micro Apex Central On-Prem Windows

Trend Micro has addressed critical vulnerabilities in on-premise Windows versions of Apex Central, including a remote code execution (RCE) flaw (CVE-2025-69258) with a CVSS score of 9.8. The flaw allows unauthenticated remote attackers to execute arbitrary code under SYSTEM context. Two additional flaws (CVE-2025-69259, CVE-2025-69260) with CVSS scores of 7.5 each can cause denial-of-service conditions. The vulnerabilities affect versions below Build 7190 and require physical or remote access to exploit. Apex Central is a web-based management console that helps admins manage multiple Trend Micro products and services, including antivirus, content security, and threat detection. Trend Micro has released Critical Patch Build 7190 to address these vulnerabilities.

Open in new tab

FortiWeb Zero-Day Exploitation (CVE-2025-58034)

Fortinet has released security updates to address a new zero-day vulnerability (CVE-2025-58034) in FortiWeb, which is being actively exploited in the wild. The flaw, an OS command injection vulnerability with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. Fortinet advises upgrading FortiWeb devices to the latest versions to mitigate the risk. CISA has added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within a week. This follows another FortiWeb zero-day (CVE-2025-64446) that was silently patched in October and added to CISA's actively exploited vulnerabilities catalog. CVE-2025-64446 has a CVSS score of 9.1 and was patched in version 8.0.2. Fortinet has patched CVE-2025-58034 in FortiWeb versions 8.0.2, 7.6.6, 7.4.11, 7.2.12, and 7.0.12.

Open in new tab