Security Intelligence
Loading table of contents...
At a glance: A critical unauthenticated RCE vulnerability in Trend Micro Apex Central allows code execution as SYSTEM with network-level access, enabling full compromise of the management server. While no active exploitation is confirmed, public PoC code increases exposure. Organizations should upgrade to Build 7190 across all on-premises nodes. Field Effect MDR users will receive an ARO with mitigation guidance if impacted.
Threat summary
On January 7, 2026, Trend Micro released Build 7190 to remediate three vulnerabilities in Apex Central, including one rated critical. All issues affect Apex Central versions before Build 7190 running the on‑premises Windows deployment.
The flaws were originally discovered by researchers in August 2025, and proof‑of‑concept (PoC) code was published on January 7 following a coordinated disclosure. There is no confirmed reporting of active exploitation in the wild.
Apex Central is Trend Micro’s centralized management platform for endpoint, server, and network security products, providing policy management, event correlation, and threat response orchestration across enterprise environments.
One flaw, tracked as CVE‑2025‑69258, carries a Common Vulnerability Scoring System (CVSS) rating of 9.8. The vulnerability results from the product loading a dynamic link library (DLL) without validating its origin or integrity.
When a privileged service loads a DLL in this manner, the attacker’s code executes with the same permissions as the service, typically SYSTEM. With this level of access, a threat actor could fully compromise the Apex Central server and gain downstream control of connected security products, including the ability to disable protections, deploy malicious policies, or pivot deeper into enterprise networks.
Trend Micro also patched two additional high‑severity vulnerabilities, CVE‑2025‑69259 and CVE‑2025‑69260, which enable denial‑of‑service conditions.
Trend Micro recommends upgrading Apex Central to Build 7190, which contains fixes for all three vulnerabilities.
Insights & mitigations
CVE‑2025‑69258 is described as an unauthenticated remote code execution flaw, but exploitation requires network‑level access to reach the vulnerable Apex Central service. Once an adversary has internal network access, the flaw enables execution of code as SYSTEM without authentication.
This combination of no credential requirements and high‑privilege execution increases the risk for organizations where an attacker has already gained a foothold. The availability of PoC code further increases the likelihood of exploitation.
Organizations operating on-premises Windows deployments of Apex Central can reduce exposure by applying the update across all management servers and confirming that no outdated nodes remain in distributed environments.
Field Effect MDR users will be alerted via ARO if vulnerable systems are detected in their environment, with clear guidance on recommended steps to mitigate the threat. Field Effect MDR also helps reduce risk by continuously monitoring for abnormal behavior across endpoints, networks, and cloud services, enabling rapid detection and response to actions consistent with attempts to exploit these vulnerabilities.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
.jpg)