Severity by source
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.
This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.
Articles & Coverage 1
AnalysisAI
Directory traversal in Trend Micro Apex One on-premise server (versions before 14.0.0.17079) enables a highly privileged local attacker to manipulate a key server table and inject malicious code that propagates to all managed endpoint agents, effectively weaponizing the EDR platform's own distribution infrastructure. The attack requires an adversary who has already obtained administrative credentials to the Apex One server through a separate compromise vector. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the changed scope (S:C) in the CVSS vector signals that a successful exploit extends impact beyond the server itself to the entire managed agent fleet.
Technical ContextAI
Trend Micro Apex One is an on-premise enterprise endpoint detection and response (EDR) platform identified by CPE cpe:2.3:a:trend_micro,_inc.:trendai_apex_one:*:*:*:*:*:*:*:*. The root cause is CWE-23 (Relative Path Traversal), a class of vulnerability where insufficient sanitization of file path inputs allows an attacker to reference files outside the intended directory scope. In this case, the traversal targets a 'key table' on the server - likely a configuration or code-deployment manifest - whose contents are subsequently pushed down to managed agents as part of Apex One's normal update or policy distribution mechanism. The CVSS scope value of S:C (Changed) is the critical technical signal: a successful server-side exploit has blast radius across all agents the server manages, making the server a force-multiplier for downstream compromise.
RemediationAI
Vendor-released patch is available. Organizations running Apex One 2019 (14.0) on-premise should upgrade to version 14.0.0.17079 or later per the Trend Micro advisory at https://success.trendmicro.com/en-US/solution/KA-0023430 (Japanese-language advisory at https://success.trendmicro.com/ja-JP/solution/KA-0022974; JPCERT coordination notice at https://www.jpcert.or.jp/english/at/2026/at260014.html). Until patching is complete, restrict local and remote administrative access to the Apex One server to named accounts with MFA enforced - given PR:H is required, hardening the admin credential surface is the highest-value compensating control. Additionally, audit and alert on unexpected changes to server-side configuration or deployment tables as an anomaly detection measure, since the attack modifies a key table prior to agent deployment. Network segmentation to limit which systems can initiate sessions to the Apex One server console will reduce the AV:L exposure surface for remotely administered deployments.
More in Trendai Apex One
View allLocal privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileg
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows an authenticated low-privileged user
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows low-privileged attackers to elevate
Local privilege escalation in Trend Micro Apex One and Apex One as a Service stems from an origin validation weakness (C
Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileg
Local privilege escalation in Trend Micro Apex One and Apex One as a Service security agents allows a low-privileged att
Local privilege escalation in Trend Micro Apex One (on-premises 2019/14.0) and Apex One as a Service allows a low-privil
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31284
GHSA-4ccp-cqrh-3w9v