CVE-2025-71210
Remote Code Execution in Trend Micro Apex One
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: Trend Micro, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trend_micro | apex_one | to 2025-09-11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-71210 is a critical vulnerability in the Trend Micro Apex One management console that allows a remote attacker to upload malicious code and execute arbitrary commands without authentication.
The flaw exists due to improper validation of user-supplied strings in the Apex One console, which listens on TCP ports 8080 and 4343 by default.
Exploiting this vulnerability could allow an attacker to run code in the context of the IUSR account.
How can this vulnerability impact me? :
This vulnerability can have a severe impact as it allows remote attackers to execute arbitrary code on affected installations without any authentication.
An attacker exploiting this flaw could gain control over the system running the Apex One console, potentially leading to data breaches, system compromise, or disruption of services.
Customers with their Apex One management console's IP address exposed externally are at higher risk and should apply mitigating controls such as source restrictions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the Trend Micro Apex One management console, which listens on TCP ports 8080 and 4343 by default.
To detect if your system is potentially vulnerable, you can check if these ports are open and accessible on your network.
- Use a network scanning tool like nmap to check for open ports: nmap -p 8080,4343 <target-ip>
- Check if the Trend Micro Apex One management console service is running on the system.
Since the vulnerability involves improper validation of user-supplied strings allowing remote code execution, monitoring for unusual or unauthorized requests to these ports could also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the security update released by Trend Micro that addresses this vulnerability.
If you have the Apex One management console exposed externally, restrict access to the console's IP address by implementing source restrictions or firewall rules to limit access only to trusted networks.
Since the SaaS versions have already been mitigated, no action is required for those customers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.