Login Sign Up

CVE-2025-30680

7.1 HIGH
SSRF

📋 TL;DR

A Server-Side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (SaaS) allows attackers to manipulate parameters to access internal systems and disclose sensitive information. Only SaaS instances of Apex Central are affected. Customers using Trend Micro's automatic monthly maintenance releases are already protected.

💻 Affected Systems

Products:
  • Trend Micro Apex Central (SaaS)
Versions: SaaS instances not updated with Trend Micro's monthly maintenance releases
Operating Systems: Not OS-specific - SaaS application
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects SaaS instances. On-premises installations are not vulnerable.

📦 What is this software?

Apex Central by Trendmicro

View all CVEs affecting Apex Central →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains access to internal systems, exfiltrates sensitive data, or uses the vulnerable server as a pivot point for further attacks on internal networks.

🟠

Likely Case

Information disclosure from internal systems accessible to the Apex Central server, potentially exposing configuration data, credentials, or other sensitive information.

🟢

If Mitigated

Limited impact due to network segmentation, proper access controls, and the server having minimal internal network access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access to the Apex Central interface. The vulnerability is in parameter manipulation within the application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Monthly maintenance releases (automatic for SaaS)

Vendor Advisory: https://success.trendmicro.com/en-US/solution/KA-0019355

Restart Required: No

Instructions:

For SaaS instances: Ensure automatic monthly maintenance updates are enabled. No manual action required if using Trend Micro's automatic updates.

🧯 If You Can't Patch

  • Implement strict network segmentation to limit the Apex Central server's access to internal systems
  • Monitor for unusual outbound connections from the Apex Central server to internal IP addresses

🔍 How to Verify

Check if Vulnerable:

Check if your Apex Central instance is SaaS-based and confirm whether automatic monthly maintenance updates are enabled in the Trend Micro portal.

Check Version:

Not applicable for SaaS instances - version management is handled by Trend Micro

Verify Fix Applied:

Verify in the Trend Micro portal that your SaaS instance is receiving and applying monthly maintenance releases automatically.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests from Apex Central server to internal IP addresses
  • Failed SSRF attempts in application logs
  • Unexpected parameter values in Apex Central request logs

Network Indicators:

  • Apex Central server making requests to internal systems not normally accessed
  • Outbound connections from Apex Central to unexpected internal IP ranges

SIEM Query:

source="apex-central" AND (dest_ip IN [internal_ranges] AND NOT dest_ip IN [expected_targets])

📊 Metadata

CVE ID: CVE-2025-30680
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-918
EPSS Score: 0.06% exploit probability (17.9th percentile)
Published: June 17, 2025
Last Updated: September 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30680, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)