Japanese cybersecurity software program agency Development Micro has patched two essential Apex One vulnerabilities that permit attackers to achieve distant code execution (RCE) on weak Home windows programs.
Apex One is an endpoint safety platform that detects and responds to safety threats, together with malware, spy ware, malicious instruments, and vulnerabilities.
The primary essential Apex One safety flaw patched this week (CVE-2025-71210) is because of a path traversal weak point within the Development Micro Apex One administration console, permitting attackers with out privileges to execute malicious code on unpatched programs.
The second, tracked as CVE-2025-71211, is one other Apex One administration console path traversal vulnerability, comparable in scope to CVE-2025-71210 however affecting a special executable.
As Development Micro defined in a Tuesday safety advisory, profitable exploitation requires attackers to “have entry to the Development Micro Apex One Administration Console, so prospects which have their console’s IP deal with uncovered externally ought to think about mitigating components comparable to supply restrictions if not already utilized.”
“Despite the fact that an exploit might require a number of particular circumstances to be met, Development Micro strongly encourages prospects to replace to the newest builds as quickly as attainable,” it warned.
To deal with these essential safety flaws, Development Micro has patched the vulnerabilities within the SaaS Apex One variations and launched Important Patch Construct 14136, which additionally fixes two high-severity privilege escalation flaws within the Home windows agent and 4 extra affecting the macOS agent.
Whereas Development Micro has not flagged these vulnerabilities as exploited within the wild, menace actors have abused different Apex One in assaults during the last a number of years.
As an illustration, Development Micro warned prospects to patch an actively exploited Apex One RCE vulnerability (CVE-2025-54948) in August 2025, and addressed two different Apex One zero-days exploited within the wild in September 2022 (CVE-2022-40139) and in September 2023 (CVE-2023-41179).
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) presently tracks 10 Development Micro Apex vulnerabilities which have both been or are nonetheless being exploited within the wild.
Fashionable IT infrastructure strikes sooner than guide workflows can deal with.
On this new Tines information, find out how your crew can scale back hidden guide delays, enhance reliability by way of automated response, and construct and scale clever workflows on prime of instruments you already use.
