CVE-2025-69258
Unknown Unknown - Not Provided
LoadLibraryEX DLL Hijacking in Trend Micro Apex Central Allows SYSTEM Code Execution

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: Trend Micro, Inc.

Description
A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supplied code under the context of SYSTEM on affected installations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69258
EUVD
EUVD-2026-1568
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
trend_micro apex_central to 7190 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-69258 is a critical remote code execution vulnerability in Trend Micro Apex Central. It arises from a flaw in the LoadLibraryEX function used by the MsgReceiver.exe component, which listens on TCP port 20001. An unauthenticated remote attacker can send a specially crafted message containing a DLL name that the system loads using LoadLibraryEx with altered search path flags. This allows the attacker to load a malicious DLL from a remote SMB share and execute arbitrary code with SYSTEM-level privileges on the affected system, leading to full system compromise. [1, 2, 3]

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the affected system with SYSTEM privileges, which is the highest level of access. This means the attacker can take full control of the system, potentially leading to data theft, system manipulation, installation of malware, or disruption of services. The impact is severe, with a CVSS v3.1 base score of 9.8, indicating critical risk. Exploitation requires no authentication and can be performed remotely over the network. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring network traffic for connections to TCP port 20001, which is used by the vulnerable MsgReceiver.exe component. Detection involves identifying attempts to send specially crafted messages, particularly those with message ID 0x0a8d (SC_INSTALL_HANDLER_REQUEST) that include DLL names potentially pointing to remote SMB shares. While specific commands are not provided, network monitoring tools can be configured to alert on unusual SMB paths or unexpected DLL load attempts via this port. Additionally, reviewing logs for unexpected LoadLibraryEx calls or suspicious DLL loading activities on affected executables (MsgReceiver.exe) may help detect exploitation attempts. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading Trend Micro Apex Central to Build 7190 or later, where this vulnerability is fixed. Applying the critical patch released in January 2026 is strongly recommended. Additionally, restricting network access to trusted networks and reviewing remote access policies and perimeter security can reduce the risk of exploitation. Customers should promptly apply the patch and ensure that vulnerable components such as MsgReceiver.exe and msgHandlerLogReceiver.dll are updated to the patched versions. [1, 3, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69258. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart