Critical Unauthenticated RCE Flaw in TrendAI Apex One Console Disclosed with Patch
TrendAI has patched CVE-2025-54948, a critical directory traversal vulnerability in the Apex One console that allows unauthenticated remote code execution as the IUSR user.
TrendAI has released a security patch for a critical vulnerability in its Apex One console, tracked as CVE-2025-54948 and disclosed today by the Zero Day Initiative (ZDI-26-269). The flaw, which carries a CVSS score of 9.8, allows unauthenticated remote attackers to execute arbitrary code on affected installations by exploiting a directory traversal weakness in the console's file operations.
The vulnerability resides in the Apex One console, which listens on TCP ports 8080 and 4343 by default. The issue stems from improper validation of user-supplied paths before they are used in file operations. An attacker can send a specially crafted request to traverse directories and write or execute files in arbitrary locations, ultimately achieving code execution in the context of the IUSR account — the built-in Internet Guest Account used by IIS.
Because the vulnerability requires no authentication and can be triggered over the network, it poses a severe risk to organizations relying on TrendAI Apex One for endpoint security management. The console is typically deployed on Windows servers within corporate networks, and if exposed to the internet, it could be directly targeted by remote attackers. The ZDI advisory notes that the flaw was reported to TrendAI on August 26, 2025, and the coordinated public disclosure occurred on April 15, 2026.
TrendAI has issued an update to correct the vulnerability, with details available in their security advisory at https://success.trendmicro.com/en-US/solution/KA-0022458. Organizations using Apex One are strongly urged to apply the patch immediately. As a temporary mitigation, administrators can restrict network access to the console ports (8080 and 4343) to trusted IP addresses only.
The vulnerability was discovered and reported by Charles Yang of CoreCloud Tech, who was credited in the ZDI advisory. This disclosure highlights the ongoing risk posed by directory traversal flaws in enterprise management consoles, which often run with elevated privileges and are attractive targets for attackers seeking to pivot within a network.
While no active exploitation has been reported at the time of disclosure, the high severity and ease of exploitation make CVE-2025-54948 a likely candidate for inclusion in CISA's Known Exploited Vulnerabilities catalog if in-the-wild attacks emerge. Security teams should prioritize patching and review their Apex One console exposure as part of their vulnerability management routine.