Executive Summary

Trend Micro has issued urgent security updates for its on-premise Apex Central for Windows product to address several vulnerabilities. The most severe of these is CVE-2025-69258, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8. The flaw allows an unauthenticated attacker to remotely execute code with SYSTEM privileges, effectively taking full control of the central security management server. Two additional high-severity denial-of-service (DoS) vulnerabilities were also patched. Trend Micro advises customers to apply the patches for Apex Central on-premise to upgrade to Build 7190 or a later version immediately.

Vulnerability Details

CVE-2025-69258: Critical RCE

The core vulnerability is a LoadLibraryEX issue within the MsgReceiver.exe component of Apex Central. This executable listens for messages on TCP port 20001 by default. According to Tenable, which discovered the flaw, an unauthenticated attacker can send a specially crafted message (SC_INSTALL_HANDLER_REQUEST) to this port.

This message can trick the MsgReceiver.exe process into loading a malicious DLL from a remote location specified by the attacker. Because the service runs with high privileges, the code within the malicious DLL is executed with SYSTEM rights on the server. This gives the attacker complete control over the Apex Central instance, which is a highly privileged target as it manages security policies for numerous endpoints.

CVE-2025-69259 & CVE-2025-69260: High-Severity DoS

Trend Micro also patched two high-severity DoS vulnerabilities, both rated 7.5 on the CVSS scale. These flaws can also be triggered by sending a crafted message to the MsgReceiver.exe process, causing it to crash and disrupting the functionality of the Apex Central management console.

Affected Systems

• Product: Trend Micro Apex Central (on-premise for Windows)
• Affected Versions: All builds prior to Build 7190.
• Patched Version: Build 7190 and later.

Exploitation Status

As of the disclosure, there is no evidence of active exploitation in the wild. However, the vulnerability was discovered by external researchers in August 2025, and now that the details are public, the risk of reverse-engineering and exploit development is high. The low complexity and lack of authentication required for the RCE flaw make it an attractive target for threat actors.

Impact Assessment

A compromise of the Apex Central server is a worst-case scenario for an organization using Trend Micro products. An attacker with SYSTEM access to this server could:

• Disable Security Policies: Universally disable antivirus, EDR, and other security controls on all managed endpoints, rendering them defenseless.
• Deploy Malware: Use the Apex Central platform as a software distribution point to push malware or ransomware to every endpoint in the organization.
• Exfiltrate Data: Access sensitive logs and data aggregated by the security platform.
• Pivot and Persist: Use the compromised server as a powerful and trusted pivot point to move laterally across the network.

Detection Methods

• Network Monitoring (D3-NTA: Network Traffic Analysis): Monitor for and alert on any unexpected connections to TCP port 20001 on Apex Central servers, especially from non-standard sources or the internet.
• Process Monitoring: Use an EDR to monitor the MsgReceiver.exe process for anomalous behavior, such as loading DLLs from network shares or unusual file paths.
• Vulnerability Scanning: Scan your environment to identify any Apex Central instances running a build lower than 7190.

Remediation Steps

• Apply Patches (D3-SU: Software Update): The only effective remediation is to apply the security updates provided by Trend Micro to bring Apex Central to at least Build 7190.
• Firewall Rules: As a compensating control, ensure that TCP port 20001 on the Apex Central server is not exposed to the internet and is only accessible from trusted Trend Micro components and management segments within the network.