Skip to main content

Trend Micro Apex One CVE-2026-34926

| EUVDEUVD-2026-31284 MEDIUM
Relative Path Traversal (CWE-23)
2026-05-21 trendmicro GHSA-4ccp-cqrh-3w9v
6.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.7 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Added to CISA KEV
May 21, 2026 - 19:31 CISA
Analysis Generated
May 21, 2026 - 14:21 vuln.today
Patch available
May 21, 2026 - 14:02 EUVD

DescriptionCVE.org

A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.

This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.

AnalysisAI

Directory traversal in Trend Micro Apex One on-premise server (versions before 14.0.0.17079) enables a highly privileged local attacker to manipulate a key server table and inject malicious code that propagates to all managed endpoint agents, effectively weaponizing the EDR platform's own distribution infrastructure. The attack requires an adversary who has already obtained administrative credentials to the Apex One server through a separate compromise vector. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the changed scope (S:C) in the CVSS vector signals that a successful exploit extends impact beyond the server itself to the entire managed agent fleet.

Technical ContextAI

Trend Micro Apex One is an on-premise enterprise endpoint detection and response (EDR) platform identified by CPE cpe:2.3:a:trend_micro,_inc.:trendai_apex_one:*:*:*:*:*:*:*:*. The root cause is CWE-23 (Relative Path Traversal), a class of vulnerability where insufficient sanitization of file path inputs allows an attacker to reference files outside the intended directory scope. In this case, the traversal targets a 'key table' on the server - likely a configuration or code-deployment manifest - whose contents are subsequently pushed down to managed agents as part of Apex One's normal update or policy distribution mechanism. The CVSS scope value of S:C (Changed) is the critical technical signal: a successful server-side exploit has blast radius across all agents the server manages, making the server a force-multiplier for downstream compromise.

RemediationAI

Vendor-released patch is available. Organizations running Apex One 2019 (14.0) on-premise should upgrade to version 14.0.0.17079 or later per the Trend Micro advisory at https://success.trendmicro.com/en-US/solution/KA-0023430 (Japanese-language advisory at https://success.trendmicro.com/ja-JP/solution/KA-0022974; JPCERT coordination notice at https://www.jpcert.or.jp/english/at/2026/at260014.html). Until patching is complete, restrict local and remote administrative access to the Apex One server to named accounts with MFA enforced - given PR:H is required, hardening the admin credential surface is the highest-value compensating control. Additionally, audit and alert on unexpected changes to server-side configuration or deployment tables as an anomaly detection measure, since the attack modifies a key table prior to agent deployment. Network segmentation to limit which systems can initiate sessions to the Apex One server console will reduce the AV:L exposure surface for remotely administered deployments.

Share

CVE-2026-34926 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy