Skip to main content
  1. Active Vulnerability List/
  2. 2026/

CVE-2026-34926 | Trend Micro Apex One | PT

FieldDetails
VulnerabilityCVE-2026-34926
Affected ProductTrend Micro Apex One — on-premise server only. Per Trend Micro’s advisory and NVD: “This vulnerability is only exploitable on the on-premise version of Apex One.” Trend Micro Apex One SaaS / cloud-hosted deployments are not affected. Per dailycve.com referencing the Trend Micro security bulletin, the fix ships in Apex One on-premise version ≥ 14.0.0.17079.
TypeRelative Path Traversal / Directory Traversal leading to server-side database manipulation and agent-side code injection across the managed endpoint fleet. CISA’s KEV catalog names this “Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability”.
CWECWE-23: Relative Path Traversal, as assigned by Trend Micro, Inc. (CNA) and recorded in NVD.
DescriptionPer Trend Micro and NVD verbatim: “A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.” In plain terms: an attacker who already has admin credentials on the Apex One management server can use path traversal to tamper with the server’s key/configuration table, which is then used to push attacker-controlled code to every managed endpoint agent at the next deployment cycle. The endpoint protection product becomes the malware delivery mechanism.
SeverityCVSS v3.1: 6.7 MEDIUM (CNA: Trend Micro, Inc.), vector CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L as recorded in NVD. CVSS v4.0: NVD assessment not yet provided at time of writing. NVD record state is “Undergoing Enrichment”.
Root CauseThe Apex One on-premise server does not properly sanitize file paths when accessing server-side resources from an administrative interface. Per dailycve.com: “The Apex One server does not properly sanitize file paths when accessing server directories.” An attacker with valid admin credentials can submit a request containing relative path traversal sequences (e.g., ../../../) that escape the intended directory and reach a server key table holding agent deployment configuration. Modifying that table results in malicious payloads being pushed to all connected agents during normal management traffic. The specific endpoint, parameter, and key-table name are not publicly disclosed by Trend Micro at time of writing. No public PoC code has been released.
Attack VectorLocal (AV:L) per the CVSS vector. “Local” in this context means the attacker interacts with the Apex One server’s local management surface (not “local to a single endpoint” — local to the server’s administrative interface, which may be accessed remotely via the admin console depending on deployment).
Privileges RequiredHigh (PR:H). The attacker must already hold administrative credentials on the Apex One server before this CVE is exploitable. Per NVD’s description: “a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method.” This is not an initial-access bug — it is a blast-radius amplifier that converts management-server admin compromise into fleet-wide endpoint compromise.
User InteractionNone (UI:N) per the NVD CVSS vector. Once the key table is poisoned, the Apex One server itself pushes the malicious payload to agents as part of normal scheduled deployment activity — no end-user action is required at any endpoint.
ImpactHigh Confidentiality / Low Integrity / Low Availability on the server (C:H/I:L/A:L) with Scope: Changed (S:C) — meaning the impact extends beyond the vulnerable component to other security-managed assets. Practically, the changed scope captures the agent fleet: a single server-side manipulation propagates malicious code to every connected Apex One agent. Per CISA, Trend Micro, and multiple secondary sources, successful exploitation enables agent-level code injection across the managed estate, conversion of the endpoint protection platform into a malware delivery channel, and potential for large-scale enterprise compromise, data exfiltration, and lateral movement.
Why the Bug MattersApex One is an endpoint detection and response (EDR) platform deployed across government, defense, critical infrastructure, and enterprise environments. The Apex One server is explicitly trusted by every managed agent for software deployment — that trust relationship is the asset under attack. The CVSS score of 6.7 understates real risk because the scoring captures the bug in isolation, not the scope change to the entire endpoint fleet. A compromised Apex One server with this CVE is a distribution point for arbitrary code on every host the product protects. This is the same threat shape as supply-chain attacks on update servers (Kaseya VSA, SolarWinds Orion) — just internal rather than vendor-side. For DFIR responders, treat any incident where Apex One server admin is compromised as a potential fleet-wide poisoning event until proven otherwise.
Execution Flow1. Attacker obtains administrative credentials to the Apex One on-premise server by some other means — credential theft from a sysadmin workstation, prior Apex One vulnerability, weak password, compromised AD account with delegated rights, or insider access. 2. Attacker authenticates to the Apex One server’s administrative interface using those credentials. 3. Attacker submits an administrative request containing relative path traversal sequences that bypass the server’s directory restrictions and reach a key configuration table governing agent deployment. 4. Attacker modifies the key table to inject malicious code (or a reference to a malicious payload) into the deployment workflow. 5. Apex One’s normal agent communication and deployment cycle distributes the modified configuration / payload to every managed endpoint agent. 6. Malicious code executes on every agent as a trusted Apex One deployment — bypassing application allow-listing, EDR self-protection, and user suspicion in one move.
Threat Model / Abuse Scenarios- Post-Active-Directory-compromise fleet-wide poisoning — once attackers have Domain Admin or equivalent, the Apex One server admin account is typically within reach
- Insider supply-chain abuse — a malicious sysadmin with legitimate Apex One server access converts that access into untraceable fleet-wide code execution
- Ransomware deployment via trusted channel — ransomware operators historically use enterprise management tools (PsExec, GPO, SCCM, RMM) for deployment; abusing Apex One adds a vector that bypasses self-protection
- Stealth implant deployment — attackers seeking long-term persistence push lightweight implants through the security agent itself, which provides excellent execution context
- Defense neutralization at scale — push agent configuration changes that disable Apex One’s own detection capabilities across the entire fleet before staging the next phase
Detection Opportunities- Apex One server admin authentication logs: monitor for administrative logins from unusual IP addresses, user accounts, or time windows, particularly any login activity from accounts not normally administering the platform.
- Apex One server access/audit logs: hunt for path-traversal sequences in HTTP requests to administrative endpoints — patterns including ..\, ../, URL-encoded %2e%2e%2f, double-encoded %252e%252e%252f, or alternative encodings. Per dailycve.com, look in C:\Program Files\Trend Micro\Apex One\Log.
- Apex One server file integrity monitoring: detect unauthorized modifications to server-side configuration files, the agent deployment package store, or the management database.
- Agent-side telemetry: monitor for unexpected updates or new components delivered by the Apex One agent across the fleet — a sudden change in agent-deployed binaries on many endpoints simultaneously is anomalous.
- EDR / Sysmon on managed endpoints: hunt for child processes spawned by the Apex One agent service (typically TmListen.exe, PccNTMon.exe, Ntrtscan.exe) that are not signed by Trend Micro or that write to non-standard locations.
- Inferred from bug mechanics: Apex One server’s web management console logs for HTTP POST/PUT requests carrying path-traversal parameters to administrative endpoints.
High-Value Detection Clues- Apex One server running version below 14.0.0.17079 after May 21, 2026 — query: reg query "HKLM\SOFTWARE\TrendMicro\Apex One" /v Version per dailycve.com
- Path-traversal patterns (..\..\, ../../../, URL-encoded variants) in Apex One server log entries
- Simultaneous agent updates across many endpoints outside of a scheduled Trend Micro deployment cycle
- Apex One agent processes spawning non-Trend-Micro signed binaries on managed endpoints
- Modifications to Apex One server database tables outside of vendor maintenance windows or normal admin activity
- Inferred from bug mechanics: unexpected outbound connections from Apex One agent processes to non-Trend-Micro infrastructure shortly after a deployment cycle
Example Hunt Ideas- In Apex One server access logs: regex hunt for `../
MitigationApply the official Trend Micro security update. Per dailycve.com referencing the Trend Micro security bulletin (KA-0023430), the fix is in Apex One on-premise version 14.0.0.17079 or later. Verify the patch on every Apex One server in the estate — particularly in air-gapped or geographically distributed deployments where update cycles may lag. Until patched, restrict local and network access to the Apex One server’s administrative interface to a tightly controlled jump-host or PAW (privileged access workstation), and monitor admin session activity continuously. Rotate all administrative credentials on the Apex One server if there is any suspicion they have been exposed. Audit recent administrative activity including login times, source IPs, and configuration changes since the disclosure timeline (CVE published 2026-05-21).
Solution StatusPatched. Trend Micro published the security update referenced in advisories KA-0023430 (English) and KA-0022974 (Japanese). Per dailycve.com, the fix is in Apex One on-premise version 14.0.0.17079. Trend Micro’s full advisory text is on the customer success portal (linked in References). JPCERT/CC and JVN have also published coordinated advisories (JVNVU#90583059, JPCERT AT-2026-014) given Trend Micro’s Japanese vendor base.
MITRE ATT&CK MappingATT&CK mapping not publicly established by Trend Micro or CISA at time of writing. Inferred from bug mechanics: T1072 Software Deployment Tools is the direct fit — the adversary abuses an enterprise software deployment platform (Apex One’s agent push channel) to execute code at scale across the fleet. Supporting techniques: T1565.001 Data Manipulation: Stored Data Manipulation (modification of the server’s key table), T1554 Compromise Host Software Binary (injection of malicious payload into agent-deployed binaries), and T1078 Valid Accounts (the prerequisite — attacker uses legitimate admin credentials obtained prior). For post-exploitation following fleet poisoning, expect the full Initial Access → Execution → Persistence chain on every affected endpoint depending on the payload.
Limitations / Constraints- Not an initial-access bug. Attacker must already hold administrative credentials to the Apex One server — this CVE alone does not breach the network.
- On-premise only. Apex One SaaS / cloud is not affected.
- CVSS 6.7 is a low-medium score that materially understates blast radius — the scope change (S:C) to the agent fleet is the actual risk story.
- No public PoC code at time of writing. Detection rule authoring relies on path-traversal pattern matching and post-exploitation behavioral hunts rather than known exploit traffic.
- Specific vulnerable endpoint, parameter, and key-table name are not publicly disclosed by Trend Micro, limiting precision of pre-patch network-level detection.
References- https://nvd.nist.gov/vuln/detail/CVE-2026-34926
- https://success.trendmicro.com/en-US/solution/KA-0023430
- https://success.trendmicro.com/ja-JP/solution/KA-0022974
- https://jvn.jp/en/vu/JVNVU90583059/
- https://www.jpcert.or.jp/english/at/2026/at260014.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34926
- https://thehackernews.com/2026/05/cisa-adds-exploited-langflow-and-trend.html
- https://cybersecuritynews.com/trend-micro-apex-one-vulnerability-exploited/
- https://cyberpress.org/exploited-trend-micro-apex/
- https://gbhackers.com/cisa-warns-trend-micro-apex-one-vulnerability/
- https://dailycve.com/trend-micro-apex-one-directory-traversal-cve-2026-34926-medium/
- https://vulert.com/blog/cve-2025-34291-cve-2026-34926-cisa-kev-exploited/