Trend Micro Apex Central RCE

Apex Central: critical RCE in on-prem Windows builds

Trend Micro patched CVE-2025-69258 (CVSS 9.8) in Apex Central for Windows (on-prem). An unauthenticated attacker can send a crafted message to MsgReceiver.exe (default TCP 20001) to load a malicious DLL via LoadLibraryEX, achieving SYSTEM execution. Two additional DoS issues (CVE-2025-69259/69260, CVSS 7.5) were fixed. Builds below 7190 are affected; Trend Micro advises patching and reviewing remote access to critical systems. Tenable reported the flaws and described the message IDs that trigger them.

Trend Micro has updated Apex Central for Windows (on-prem) to fix a critical remote code execution bug, CVE-2025-69258 (CVSS 9.8). The issue sits in MsgReceiver.exe listening on TCP 20001; a crafted message leads to loading an attacker-controlled DLL, executing as SYSTEM. Two lesser—but still important—DoS flaws (CVE-2025-69259/69260) were also resolved.

Who’s affected
On-prem installations below Build 7190 are vulnerable. Cloud-managed versions aren’t in scope here. As always, patching beats hoping: apply the vendor update, then verify the service build.
Exploitation mechanics (plain English)

Apex Central receives internal messages to coordinate tasks. If you can reach 20001/TCP, a malicious message can instruct the service to load a DLL of the attacker’s choosing. Once loaded, that code runs as SYSTEM—the Windows equivalent of “you own the box.”

What to do next
• Patch to the fixed build (≥ 7190).
• Restrict network access to management ports like 20001/TCP.
• Review logs for odd service messages and confirm endpoint protections are current.

Takeaway: management consoles concentrate privilege. Keep them fully patched, tightly scoped on the network, and closely monitored.