Skip to main content

Trend Micro Apex One CVE-2026-34927

| EUVDEUVD-2026-31285 HIGH
Origin Validation Error (CWE-346)
2026-05-21 trendmicro GHSA-c93p-h3cc-p7rr
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 21, 2026 - 14:19 vuln.today
Patch available
May 21, 2026 - 14:02 EUVD

DescriptionCVE.org

An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

AnalysisAI

Local privilege escalation in Trend Micro Apex One (on-premises 2019/14.0) and Apex One as a Service allows a low-privileged user already executing code on the host to elevate to higher privileges by abusing an origin validation weakness in the security agent. The flaw carries a CVSS 7.8 (local, low complexity) and no public exploit identified at time of analysis, but because the agent typically runs with SYSTEM-level rights, successful exploitation yields full host compromise. Trend Micro has issued patched builds (KA-0023430).

Technical ContextAI

The defect is classified as CWE-346 (Origin Validation Error), meaning the Apex One security agent - an endpoint protection component running as a privileged Windows service - accepts input, IPC messages, or control instructions without correctly verifying that the source actually has authority to issue them. CPE data identifies the affected components as cpe:2.3:a:trend_micro,_inc.:trendai_apex_one and cpe:2.3:a:trend_micro,_inc.:trendai_apex_one_as_a_service, both of which deploy an endpoint agent that exposes local interfaces for management, scanning, and update tasks. When such an agent fails to authenticate the origin of a privileged operation, a process running as a normal Windows user can impersonate a trusted caller and trick the agent into performing actions in the agent's own (SYSTEM) security context.

RemediationAI

Vendor-released patch: upgrade Apex One 2019 on-premises agents to build 14.0.0.17079 or later, and ensure Apex One as a Service tenants are on 14.0.20731 or later, per Trend Micro advisory KA-0023430 (https://success.trendmicro.com/en-US/solution/KA-0023430); SaaS tenants will receive the fix from Trend Micro centrally, while on-premises customers must distribute the agent update through the Apex One management server. Until patching completes, reduce exposure by restricting which users can execute code on endpoints running the agent - tighten AppLocker/WDAC policies, remove unnecessary local logon rights on shared/RDP/VDI hosts, and audit any service accounts that hold interactive logon. Avoid disabling the agent itself as a workaround, since that removes endpoint protection and trades a privilege-escalation risk for a broader malware risk.

Share

CVE-2026-34927 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy