Bright Nexus

Published on January 9, 2026

Trend Micro Apex Central RCE Flaw Scores 9.8 CVSS in On-Prem Windows Versions

Severity
Critical

Detail

Trend Micro has released security updates to address multiple vulnerabilities affecting on-premise Windows installations of Apex Central, including a critical remote code execution (RCE) flaw that could allow attackers to execute arbitrary code with elevated privileges.

The most severe vulnerability, CVE-2025-69258, is caused by improper handling of the LoadLibraryEX function. An unauthenticated remote attacker can exploit this flaw to load a malicious, attacker-controlled DLL into a trusted Apex Central executable, resulting in code execution under the SYSTEM context.

In addition to the RCE vulnerability, Trend Micro also patched two medium-severity vulnerabilities that could lead to denial-of-service (DoS) conditions by abusing message handling flaws in the MsgReceiver.exe component.

Although exploitation requires the attacker to already have physical or remote access to a vulnerable endpoint, successful attacks could result in full system compromise.

CVE Number Description CVSS Score (Severity)
CVE-2025-69258Remote Code Execution via LoadLibraryEX DLL Injection in Trend Micro Apex Central9.8 (Critical)
CVE-2025-69259Unchecked NULL Return Value Leading to Denial of Service7.5 (High)
CVE-2025-69260Out-of-Bounds Read Leading to Denial of Service7.5 (High)

– CVE-2025-69258 can be exploited by sending a crafted message 0x0a8d (SC_INSTALL_HANDLER_REQUEST) to the MsgReceiver.exe service, causing it to load a malicious DLL and execute attacker-controlled code with SYSTEM privileges.

– CVE-2025-69259 and CVE-2025-69260 can be triggered by sending a specially crafted message 0x1b5b (SC_CMD_CGI_LOG_REQUEST) to the same service, resulting in denial-of-service conditions.

Affected Version

Trend Micro Apex Central (On-Premise – Windows)

  • All versions below Build 7190 are affected

Recommendation

Administrators are strongly advised to upgrade Trend Micro Apex Central to Build 7190 or later immediately to remediate these vulnerabilities. Additional security best practices include:

  • Restricting and reviewing remote access to Apex Central servers
  • Ensuring perimeter firewall rules block unauthorized access to TCP port 20001
  • Monitoring Apex Central servers for suspicious DLL loading activity
  • Applying the latest security patches and solution updates from Trend Micro

Source

https://thehackernews.com/2026/01/trend-micro-apex-central-rce-flaw.html