Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
AnalysisAI
Local privilege escalation in Trend Micro Apex One (on-premises 2019/14.0) and Apex One as a Service allows a low-privileged user already executing code on the host to elevate to higher privileges by abusing an origin validation weakness in the security agent. The flaw carries a CVSS 7.8 (local, low complexity) and no public exploit identified at time of analysis, but because the agent typically runs with SYSTEM-level rights, successful exploitation yields full host compromise. Trend Micro has issued patched builds (KA-0023430).
Technical ContextAI
The defect is classified as CWE-346 (Origin Validation Error), meaning the Apex One security agent - an endpoint protection component running as a privileged Windows service - accepts input, IPC messages, or control instructions without correctly verifying that the source actually has authority to issue them. CPE data identifies the affected components as cpe:2.3:a:trend_micro,_inc.:trendai_apex_one and cpe:2.3:a:trend_micro,_inc.:trendai_apex_one_as_a_service, both of which deploy an endpoint agent that exposes local interfaces for management, scanning, and update tasks. When such an agent fails to authenticate the origin of a privileged operation, a process running as a normal Windows user can impersonate a trusted caller and trick the agent into performing actions in the agent's own (SYSTEM) security context.
RemediationAI
Vendor-released patch: upgrade Apex One 2019 on-premises agents to build 14.0.0.17079 or later, and ensure Apex One as a Service tenants are on 14.0.20731 or later, per Trend Micro advisory KA-0023430 (https://success.trendmicro.com/en-US/solution/KA-0023430); SaaS tenants will receive the fix from Trend Micro centrally, while on-premises customers must distribute the agent update through the Apex One management server. Until patching completes, reduce exposure by restricting which users can execute code on endpoints running the agent - tighten AppLocker/WDAC policies, remove unnecessary local logon rights on shared/RDP/VDI hosts, and audit any service accounts that hold interactive logon. Avoid disabling the agent itself as a workaround, since that removes endpoint protection and trades a privilege-escalation risk for a broader malware risk.
More in Trendai Apex One
View allDirectory traversal in Trend Micro Apex One on-premise server (versions before 14.0.0.17079) enables a highly privileged
Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileg
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows an authenticated low-privileged user
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows low-privileged attackers to elevate
Local privilege escalation in Trend Micro Apex One and Apex One as a Service stems from an origin validation weakness (C
Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileg
Local privilege escalation in Trend Micro Apex One and Apex One as a Service security agents allows a low-privileged att
Same weakness CWE-346 – Origin Validation Error
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31285
GHSA-c93p-h3cc-p7rr