CVE-2025-69258
LoadLibraryEX DLL Hijacking in Trend Micro Apex Central Allows SYSTEM Code Execution
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: Trend Micro, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trend_micro | apex_central | to 7190 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69258 is a critical remote code execution vulnerability in Trend Micro Apex Central. It arises from a flaw in the LoadLibraryEX function used by the MsgReceiver.exe component, which listens on TCP port 20001. An unauthenticated remote attacker can send a specially crafted message containing a DLL name that the system loads using LoadLibraryEx with altered search path flags. This allows the attacker to load a malicious DLL from a remote SMB share and execute arbitrary code with SYSTEM-level privileges on the affected system, leading to full system compromise. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the affected system with SYSTEM privileges, which is the highest level of access. This means the attacker can take full control of the system, potentially leading to data theft, system manipulation, installation of malware, or disruption of services. The impact is severe, with a CVSS v3.1 base score of 9.8, indicating critical risk. Exploitation requires no authentication and can be performed remotely over the network. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for connections to TCP port 20001, which is used by the vulnerable MsgReceiver.exe component. Detection involves identifying attempts to send specially crafted messages, particularly those with message ID 0x0a8d (SC_INSTALL_HANDLER_REQUEST) that include DLL names potentially pointing to remote SMB shares. While specific commands are not provided, network monitoring tools can be configured to alert on unusual SMB paths or unexpected DLL load attempts via this port. Additionally, reviewing logs for unexpected LoadLibraryEx calls or suspicious DLL loading activities on affected executables (MsgReceiver.exe) may help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Trend Micro Apex Central to Build 7190 or later, where this vulnerability is fixed. Applying the critical patch released in January 2026 is strongly recommended. Additionally, restricting network access to trusted networks and reviewing remote access policies and perimeter security can reduce the risk of exploitation. Customers should promptly apply the patch and ensure that vulnerable components such as MsgReceiver.exe and msgHandlerLogReceiver.dll are updated to the patched versions. [1, 3, 2]