CVE-2025-71211
Remote Code Execution in Trend Micro Apex One
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: Trend Micro, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trend_micro | apex_one | to 2025-09-11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-71211 is a critical vulnerability in the Trend Micro Apex One management console that allows a remote attacker to upload malicious code and execute arbitrary commands on affected installations.
The flaw exists due to improper validation of user-supplied strings in the Apex One console, which listens on TCP ports 8080 and 4343 by default.
Exploiting this vulnerability could enable attackers to run code in the context of the IUSR account without requiring authentication.
An attacker must have access to the Apex One Management Console, so exposure of the console's IP address externally increases risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2025-71211 affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows remote attackers to execute arbitrary code on the affected system.
Successful exploitation could lead to full compromise of the system running the Apex One console, including unauthorized control and potential disruption of services.
Because the vulnerability can be exploited without authentication, it poses a high risk especially if the console is exposed externally.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the Trend Micro Apex One management console, which listens on TCP ports 8080 and 4343 by default.
To detect if your system is potentially vulnerable, you can check if these ports are open and if the Apex One console is accessible.
- Use a network scanning tool like nmap to check for open ports: nmap -p 8080,4343 <target-ip>
- Attempt to identify the service running on these ports with: curl -I http://<target-ip>:8080 or curl -I https://<target-ip>:4343
Since the vulnerability involves improper validation of user-supplied strings allowing remote code execution, monitoring unusual or unauthorized requests to these ports could also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Trend Micro Apex One Management Console, especially if its IP address is exposed externally.
- Apply source IP restrictions or firewall rules to limit access to trusted networks only.
- Ensure that the Apex One console is not directly accessible from the internet.
- Update the Trend Micro Apex One console to the latest version released by Trend Micro that addresses this vulnerability.
Note that SaaS versions of the product have already been mitigated and require no customer action.