Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Directory Traversal RCE in Trend Micro Apex One Management Console

IdentifiersCVE-2025-71211CWE-22· Improper Limitation of a Pathname…

CVE-2025-71211 is a critical remote code execution vulnerability in the Trend Micro Apex One management console. Available reporting describes it as a console directory traversal/path traversal issue affecting a different executable than CVE-2025-71210. The flaw exists because the console does not properly validate a user-supplied string before using it in a system call, enabling an attacker to upload malicious code and execute commands on affected installations. The vulnerable Apex One console listens on TCP ports 8080 and 4343 by default. Successful exploitation can result in arbitrary code execution in the context of the IUSR account on affected Windows systems.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote attacker to execute arbitrary code on the affected Apex One server, including uploading malicious code and running commands. This can compromise the confidentiality, integrity, and availability of the affected system and may provide a foothold for further compromise of the security management infrastructure. Reported impact is consistent with the published CVSS 9.8 rating.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to the Apex One Management Console. Trend Micro specifically recommends applying source restrictions, especially where the console IP address is exposed externally. Limit network exposure of the console, avoid direct internet exposure, and restrict access to trusted administrative networks only.

Remediation

Patch, then assume compromise.

Apply Trend Micro's vendor fix for CVE-2025-71211. Reporting indicates Trend Micro released Critical Patch Build 14136 to address the Apex One management console RCE issues, and customers should update to the latest available builds immediately. Trend Micro also stated that SaaS versions were already mitigated and require no customer action.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Trend MicroApex Oneapplication
Trend MicroApexone Opapplication
Trend MicroApexone Saasapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Unknown (listed as a trending CVE affecting Trend Micro Apex One).

Read more
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Unknown (listed as a trending CVE affecting Trend Micro Apex One; no technical details provided in the content).

Read more
scworldNews
Feb 27, 2026
Trend Micro patches critical Apex One bugs | brief | SC Media

A critical directory traversal leading to remote code execution in the Trend Micro Apex One management console, enabling an authenticated/console-access attacker to upload and execute malicious code on affected Windows systems.

Read more
cyber security newsNews
Feb 27, 2026
Critical Trend Micro Apex One Vulnerabilities Allows Malicious Code Execution

Critical directory traversal leading to remote code execution in the Trend Micro Apex One management console; similar to CVE-2025-71210 and requires management console access.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-71211
NVD
nvd.nist.gov/vuln/detail/CVE-2025-71211
MITRE CWE · CWE-22
Improper Limitation of a Pathname to a…
Vendor Advisory
success.trendmicro.com/en-US/solution/KA-0022458
Third Party Advisory
zerodayinitiative.com/advisories/ZDI-26-137