Critical Trend Micro Apex One Console Directory Traversal RCE Vulnerability (CVE-2025-71210)
A critical directory traversal vulnerability in Trend Micro Apex One, tracked as CVE-2025-71210 with a CVSS score of 9.8, allows unauthenticated remote attackers to execute arbitrary code on the console.
A critical directory traversal vulnerability in Trend Micro Apex One, tracked as CVE-2025-71210 with a CVSS score of 9.8, allows unauthenticated remote attackers to execute arbitrary code on the console.
Trend Micro has released an update to address a critical directory traversal vulnerability in its Apex One endpoint protection console, tracked as CVE-2025-71210. The flaw carries a CVSS score of 9.8, indicating the highest severity, and allows unauthenticated remote attackers to execute arbitrary code on affected systems.
The vulnerability resides in the Apex One console, which listens on TCP ports 8080 and 4343 by default. According to the advisory published by the Zero Day Initiative (ZDI-26-136), the issue stems from improper validation of user-supplied strings before they are used in a system call. An attacker can exploit this directory traversal weakness to execute arbitrary code in the context of the IUSR account, which is the built-in Internet Information Services (IIS) anonymous user account.
Trend Micro Apex One is a widely deployed endpoint security solution used by enterprises to manage antivirus, anti-malware, and other security policies across their networks. The console is the central management interface, making this vulnerability particularly dangerous as it could allow an attacker to take full control of the management server and potentially pivot to managed endpoints.
Trend Micro has issued a security update to correct the vulnerability. Customers are advised to apply the patch immediately. The advisory can be found at Trend Micro's support page: https://success.trendmicro.com/en-US/solution/KA-0022458.
The vulnerability was discovered and reported by researchers Jacky Hsieh and Charles Yang of CoreCloud Tech. The disclosure timeline shows the issue was reported to Trend Micro on September 11, 2025, with the coordinated public release occurring on March 3, 2026.
This vulnerability highlights the ongoing risk posed by directory traversal flaws in enterprise management consoles, which often have broad system access and are exposed to internal networks. Organizations using Trend Micro Apex One should prioritize patching this vulnerability to prevent potential compromise of their endpoint management infrastructure.