Critical Trend Micro Apex One Console Directory Traversal Flaw Allows Unauthenticated RCE (CVE-2025-71211)
A critical directory traversal vulnerability in Trend Micro Apex One Console (CVE-2025-71211, CVSS 9.8) allows unauthenticated remote attackers to execute arbitrary code via TCP ports 8080 and 4343.
Trend Micro has released a security update for a critical directory traversal vulnerability in its Apex One Console, designated CVE-2025-71211. The flaw, disclosed by the Zero Day Initiative (ZDI) on March 3, 2026, carries a CVSS score of 9.8, reflecting its severity and ease of exploitation. The vulnerability affects the Apex One Console, which listens on TCP ports 8080 and 4343 by default, and allows unauthenticated remote attackers to execute arbitrary code in the context of the IUSR account.
The root cause of the vulnerability lies in improper validation of user-supplied strings before they are used in system calls. This directory traversal flaw enables an attacker to break out of restricted paths and execute arbitrary commands on the server. Because authentication is not required, any attacker able to reach the console's network ports can potentially compromise the system without prior access.
The impact of CVE-2025-71211 is significant. Trend Micro Apex One is a widely deployed endpoint protection platform used by enterprises and organizations globally. An attacker exploiting this vulnerability could gain full control over the Apex One Console server, potentially allowing them to disable security monitoring, deploy malware, or pivot to other systems within the network. The IUSR account context provides broad system-level access, amplifying the potential damage.
Trend Micro has issued a security update to address the vulnerability. The advisory is available at Trend Micro's support page. Users and administrators are strongly urged to apply the patch immediately. The vulnerability was reported to Trend Micro on September 11, 2025, by researchers Jacky Hsieh and Charles Yang of CoreCloud Tech, and the coordinated public release occurred on March 3, 2026.
This vulnerability is part of a broader pattern of critical flaws in enterprise security products. Directory traversal and remote code execution vulnerabilities in endpoint protection platforms are particularly dangerous because they can be used to subvert the very tools organizations rely on for defense. The high CVSS score and unauthenticated nature of CVE-2025-71211 make it a prime target for threat actors seeking initial access to corporate networks.
Organizations using Trend Micro Apex One should prioritize patching this vulnerability. In addition to applying the update, administrators should restrict network access to the Apex One Console to trusted IP addresses and monitor for any signs of exploitation. Given the severity and ease of exploitation, this flaw is likely to be incorporated into exploit kits and targeted by ransomware groups in the near future.