Critical Trend Micro Apex One Vulnerabilities (CVE-2025-71210, CVE-2025-71211)

Key Facts: Vulnerability Disclosure

• Initial Discovery: February 2026
• Public Advisory Date: February 24, 2026
• Vulnerability IDs: CVE-2025-71210 and CVE-2025-71211
• Target System: Trend Micro Apex One (On-Premise)
• Vulnerability Type: Console Directory Traversal / Remote Code Execution (RCE)
• Severity: Critical (CVSS Score: 9.8)
• Status: Patched; Critical Patch Build 14136 released for Windows.

What is the Trend Micro Apex One vulnerability?

On February 24, 2026, Trend Micro (trendmicro.com) issued a formal security bulletin (KA-0022458) regarding multiple security flaws in its Apex One endpoint security platform. The primary issues center on CVE-2025-71210 and CVE-2025-71211, both of which are "directory traversal" vulnerabilities within the Apex One Management Console.

Directory traversal allows an attacker to access files and directories that are stored outside the web root folder. By exploiting this, an unauthenticated remote attacker could upload malicious files and execute arbitrary commands with administrative privileges on the underlying Windows system.

Trend Micro proactively mitigated its SaaS (cloud-based) instances prior to the public disclosure. For organizations managing their own self-hosted (on-premise) environments, a critical patch was released to close these security gaps.

What systems are affected?

The vulnerabilities specifically impact the Trend Micro Apex One management console, which serves as the central hub for managing endpoint security across a corporate network. While the RCE flaws are specific to Windows-based consoles, the broader advisory also addressed several high-severity local privilege escalation (LPE) flaws affecting both Windows and macOS agents.

According to the official advisory, the following products and versions are affected:

Organizations utilizing Apex One for endpoint detection and response (EDR) or automated threat defense are advised to verify their build number immediately.

Potential impact for organizations

For organizations utilizing Trend Micro Apex One, an unpatched instance of these CVEs presents a "keys to the kingdom" risk. Because the management console oversees security policies for all connected endpoints, a compromise here could lead to:

• Full System Takeover: Attackers can execute unauthorized commands to disable security features or manipulate the server.
• Ransomware Deployment: The console can be used as a distribution point to push malicious payloads to all connected workstations and servers.
• Lateral Movement: Once the central console is compromised, attackers can bridge into other sensitive areas of the corporate network using administrative credentials stored or managed by the platform.

How to secure your environment

• Review Official Guidance: Consult Trend Micro Knowledge Base article KA-0022458 for detailed technical specifications and download links.
• Apply Critical Patches: Immediately update on-premise Windows instances to Build 14136 or later.
• Restrict Console Access: Implement network segmentation or source IP restrictions to ensure the Management Console is not exposed to the public internet.
• Audit for Compromise: Review system logs from February 2026 for any signs of unusual file uploads or unauthorized directory access within the console’s web folders.

Frequently Asked Questions

What is CVE-2025-71210?

It is a critical directory traversal vulnerability in the Trend Micro Apex One management console. It allows an attacker to bypass security restrictions to upload and run malicious code on the server without needing to log in.

Is my personal data at risk?

This was reported as a technical vulnerability in security software, not a breach of a consumer database. There is currently no evidence that individual user data (such as emails or passwords) has been stolen.

What systems were impacted?

The vulnerability primarily impacts the on-premise versions of Trend Micro Apex One running on Windows. Additionally, six other high-severity flaws (CVE-2025-71212 through CVE-2025-71217) were identified that could allow local users to gain higher privileges on both Windows and macOS systems.

What should I do if my company uses Trend Micro?

Standard employees typically do not need to take action. This update must be performed by IT or Security Administrators. If you manage these systems, ensure your on-premise build is updated to 14136 to mitigate the RCE risk.