Trend Micro Apex One Vulnerability Enables Malicious Code Injection by Attackers

Trend Micro has released critical security patches addressing five high-severity vulnerabilities in Apex One and Apex One as a Service products.

The most severe vulnerability, tracked as CVE-2025-49155, allows remote attackers to execute arbitrary code through the Data Loss Prevention module.

Security researchers have assigned this vulnerability a CVSSv3.1 score of 8.8, indicating its significant potential impact.

The vulnerabilities affect Windows based installations of both on-premises and SaaS versions of the security product, with patches becoming available on June 9, 2025.

The most concerning vulnerability (CVE-2025-49155) stems from an uncontrolled search path element in the Data Loss Prevention module.

This vulnerability enables attackers to inject malicious code, potentially leading to remote code execution with minimal user interaction.

According to the technical analysis, the vulnerability doesn’t require authentication or high privileges to exploit, making it particularly dangerous in real-world attack scenarios.

Four additional vulnerabilities have been disclosed, including an insecure access control issue (CVE-2025-49154) that could allow attackers to overwrite key memory-mapped files with a CVSS score of 8.7.

Three local privilege escalation vulnerabilities were also identified: a link following vulnerability in the scan engine (CVE-2025-49156), another in the Damage Cleanup Engine (CVE-2025-49157), and an uncontrolled search path element in the security agent itself (CVE-2025-49158).

These vulnerabilities have CVSS scores ranging from 6.7 to 7.8, indicating medium to high severity.

Trend Micro Apex One Vulnerability

Security experts note that these vulnerabilities could create a significant security gap for organizations using affected Trend Micro products.

The identified vulnerabilities allow attackers to potentially gain system-level access through various attack paths.

While most vulnerabilities require attackers to first obtain the ability to execute low-privileged code on target systems, the Data Loss Prevention module vulnerability (CVE-2025-49155) stands out as it requires only user interaction rather than prior system access.

The technical classification of these vulnerabilities reveals common weaknesses including CWE-427 (Uncontrolled Search Path Element), CWE-284 (Improper Access Control), and CWE-269 (Improper Privilege Management).

Organizations running Apex One should consider these vulnerabilities particularly critical as they affect core security components designed to protect enterprise environments.

Immediate Patching

Trend Micro has released updated versions to address all five vulnerabilities: Apex One SP1 CP Build 14002 for on-premises deployments and Security Agent Version 14.0.14492 for Apex One as a Service customers.

Security administrators should prioritize applying these patches immediately, as exploits targeting these vulnerabilities could emerge rapidly.

The vulnerabilities were responsibly disclosed by several security researchers, including Alexander Pudwill, Xavier DANEST of Decathlon working with Trend Micro’s Zero Day Initiative, and Vladislav Berghici from Trend Micro Research.

While mitigating factors include the requirement for specific attack conditions, security experts emphasize that the severity of these flaws warrants urgent attention regardless of environmental controls.

Organizations unable to patch immediately should implement strict access controls to affected systems and monitor for suspicious activities, particularly those involving the Data Loss Prevention module or unusual privilege escalation attempts.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.