Trend Micro Apex Central Faces Critical RCE Vulnerability with a CVSS Score of 9.8
On January 9, 2026, Trend Micro made headlines by announcing important security updates aimed at fixing several vulnerabilities affecting the on-premises versions of its Apex Central software for Windows. Among these issues is a severe flaw that poses the risk of remote code execution, potentially allowing unauthorized access to sensitive systems.
This particular vulnerability, identified as CVE-2025-69258, has been assigned a strikingly high CVSS score of 9.8 out of 10, signaling its critical nature. According to Trend Micro, this flaw relates to the LoadLibraryEX function and enables an unauthenticated attacker to load a malicious DLL into an essential executable. This action could allow the execution of harmful code with SYSTEM-level privileges on systems that are affected.
As part of its security response, Trend Micro also addressed two additional vulnerabilities:
- CVE-2025-69259 (CVSS score: 7.5) - This flaw involves an unchecked NULL return value in messages within Trend Micro Apex Central, which could be exploited by an unauthenticated remote attacker to create a denial-of-service (DoS) condition on the compromised systems.
- CVE-2025-69260 (CVSS score: 7.5) - This vulnerability pertains to an out-of-bounds read scenario in Trend Micro Apex Central, similarly enabling a remote, unauthenticated attacker to instigate a denial-of-service condition on vulnerable installations.
The cybersecurity firm Tenable, who was instrumental in identifying and reporting these three vulnerabilities back in August 2025, explained that an attacker could take advantage of CVE-2025-69258 by sending a specific message, "0x0a8d" (designated as "SCINSTALLHANDLER_REQUEST"), to the MsgReceiver.exe component. This manipulation allows the attacker to load a DLL they control into the binary, resulting in code execution with elevated privileges.
In like manner, CVE-2025-69259 and CVE-2025-69260 can be triggered by sending another specially crafted message, "0x1b5b" (labeled as "SCCMDCGILOGREQUEST"), to the MsgReceiver.exe process, which operates on the default TCP port 20001.
These vulnerabilities affect all on-premises versions of Apex Central that are below Build 7190. It is critical to note that for exploitation to be successful, an attacker must already have either physical or remote access to a vulnerable endpoint.
Trend Micro emphasized the importance of promptly applying patches and updating solutions, while also advising customers to reassess their remote access protocols to vital systems and ensure that their security policies and perimeter defenses are current.
Did you find this article insightful? Stay updated by following us on Google News, Twitter, and LinkedIn for more exclusive content.
