CVE-2025-30678 Overview
CVE-2025-30678 is a Server-Side Request Forgery (SSRF) vulnerability affecting the modTMSM component of Trend Micro Apex Central (on-premise). An unauthenticated attacker can manipulate request parameters to coerce the server into issuing arbitrary outbound requests. Successful exploitation leads to disclosure of sensitive information from the affected installation. The flaw is categorized under CWE-918 (Server-Side Request Forgery) and is exploitable over the network without user interaction or authentication.
Critical Impact
An unauthenticated remote attacker can abuse the modTMSM component to perform SSRF against Apex Central, exposing internal service responses and sensitive data to external requesters.
Affected Products
- Trend Micro Apex Central 2019 (on-premise) — multiple builds including build_3752 through build_6890
- Trend Micro Apex Central installations running on Microsoft Windows
- On-premise deployments using the modTMSM management module
Discovery Timeline
- 2025-06-17 - CVE-2025-30678 published to the National Vulnerability Database
- 2025-09-08 - Last updated in NVD database
- Vulnerability coordinated through the Zero Day Initiative (advisory ZDI-25-236)
Technical Details for CVE-2025-30678
Vulnerability Analysis
The vulnerability resides in the modTMSM component of Trend Micro Apex Central. The component accepts user-supplied parameters that are incorporated into server-initiated HTTP requests without sufficient validation of the destination. An attacker controlling these parameters can redirect requests to arbitrary URLs, including internal endpoints not normally reachable from outside the management server.
Because the request originates from the Apex Central server itself, it inherits the trust context of that host. Responses from internal services can be returned to the attacker, resulting in information disclosure. The CVSS confidentiality impact is rated High, while integrity and availability are unaffected.
Root Cause
The root cause is improper validation of URL or host parameters passed to a request-forwarding routine inside modTMSM. The component does not enforce an allow-list of permitted destinations and does not normalize input to prevent attackers from supplying internal hostnames, loopback addresses, or alternate IP encodings. This matches the classic SSRF pattern described in CWE-918.
Attack Vector
Exploitation is remote and unauthenticated. An attacker sends a crafted HTTP request to the exposed modTMSM endpoint with manipulated parameters that specify an attacker-chosen target URL. The Apex Central server then performs the outbound request on the attacker's behalf and returns the result. Targets of interest include internal management interfaces, cloud metadata services on the host network, and adjacent application endpoints that trust the Apex Central server. No verified public proof-of-concept has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
See the Zero Day Initiative Advisory ZDI-25-236 for additional technical context.
Detection Methods for CVE-2025-30678
Indicators of Compromise
- Outbound HTTP/HTTPS requests originating from the Apex Central server to internal IP ranges, loopback (127.0.0.1), or cloud metadata endpoints (169.254.169.254)
- Unexpected requests in Apex Central web server logs targeting modTMSM endpoints with URL-like parameter values
- Anomalous response sizes or status codes from modTMSM request handlers correlated with external client activity
Detection Strategies
- Inspect web server and application logs on Apex Central for requests to modTMSM containing user-supplied URL, host, or IP parameters
- Monitor egress traffic from the Apex Central host for connections to non-business destinations and internal-only addresses
- Apply network IDS signatures that flag SSRF parameter patterns in HTTP requests directed at Apex Central management endpoints
Monitoring Recommendations
- Forward Apex Central application logs and host network telemetry to a centralized analytics platform for correlation
- Baseline normal outbound destinations for the Apex Central server and alert on deviations
- Track repeated failed or redirected requests to modTMSM from the same source IP, which may indicate enumeration
How to Mitigate CVE-2025-30678
Immediate Actions Required
- Apply the vendor-supplied patch documented in the Trend Micro Solution Guide KA-0019355
- Restrict network access to the Apex Central management interface to trusted administrative networks only
- Audit recent web server logs for evidence of modTMSM parameter manipulation prior to patch deployment
Patch Information
Trend Micro has released a fixed build for Apex Central 2019. Refer to Trend Micro Solution Guide KA-0019355 for the specific patch package, build number, and installation instructions applicable to your deployment.
Workarounds
- Place the Apex Central server behind a reverse proxy or web application firewall that filters suspicious URL parameters and blocks outbound requests to internal address ranges
- Use host-based firewall rules to deny outbound traffic from the Apex Central server to internal networks and cloud metadata endpoints not required for operation
- Limit exposure of the management console to the public internet until the patch is applied
# Example: restrict outbound access from the Apex Central host on Windows
# Block outbound HTTP/HTTPS to the cloud metadata IP as a defense-in-depth control
New-NetFirewallRule -DisplayName "Block AWS metadata egress" `
-Direction Outbound -RemoteAddress 169.254.169.254 `
-Protocol TCP -RemotePort 80,443 -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
