CVE-2025-54987 is a critical OS command injection vulnerability affecting the on-premise management console of Trend Micro Apex One, specifically version 2019 (14.0). This vulnerability allows a remote attacker to execute arbitrary commands on the affected system without requiring any authentication or user interaction. The flaw stems from improper input validation in the management console, enabling an attacker to upload malicious code and execute it remotely. This vulnerability is similar to CVE-2025-54948 but targets a different CPU architecture, indicating that multiple hardware platforms running Apex One are at risk. The CVSS v3.1 base score of 9.4 reflects the high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact on confidentiality is high due to potential data exposure, integrity impact is low, and availability impact is high, as attackers could disrupt or take control of the security management console. Although no known exploits are currently reported in the wild, the critical nature and ease of exploitation make this a significant threat. Trend Micro Apex One is widely used by enterprises for endpoint security management, and compromise of its management console could lead to widespread control over endpoint defenses, potentially allowing attackers to disable protections, deploy malware, or exfiltrate sensitive data.

For European organizations, the impact of CVE-2025-54987 could be severe. Trend Micro Apex One is commonly deployed in large enterprises, government agencies, and critical infrastructure sectors across Europe. A successful exploitation could lead to unauthorized command execution on the management console, resulting in loss of control over endpoint security policies and protections. This could facilitate lateral movement within networks, data breaches, ransomware deployment, or disruption of business-critical services. The confidentiality of sensitive personal data protected under GDPR could be compromised, leading to regulatory penalties and reputational damage. Additionally, availability impacts could disrupt security operations and incident response capabilities. Given the pre-authentication nature of the vulnerability, attackers could exploit it remotely without needing valid credentials, increasing the risk of widespread attacks targeting European organizations that rely on this product for endpoint protection.

To mitigate CVE-2025-54987, European organizations should immediately prioritize patching or upgrading Trend Micro Apex One management consoles to versions where this vulnerability is fixed once patches are released by Trend Micro. Until patches are available, organizations should restrict network access to the management console by implementing strict firewall rules and network segmentation, limiting access only to trusted administrative hosts. Employing intrusion detection and prevention systems to monitor for suspicious upload or command execution attempts targeting the management console is recommended. Organizations should also audit and harden configurations, disable any unnecessary services or interfaces on the management console, and enforce strong access controls and multi-factor authentication for administrative access to reduce risk. Regularly reviewing logs for anomalous activity related to the management console can help detect exploitation attempts early. Finally, organizations should prepare incident response plans specifically addressing potential compromise of endpoint management infrastructure.