Skip to main content

Trend Micro Apex One CVE-2026-34928

| EUVDEUVD-2026-31286 HIGH
Origin Validation Error (CWE-346)
2026-05-21 trendmicro GHSA-74v9-v9f7-f4p8
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 21, 2026 - 14:19 vuln.today
Patch available
May 21, 2026 - 14:02 EUVD

DescriptionCVE.org

An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different named pipe communication mechanism.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

AnalysisAI

Local privilege escalation in Trend Micro Apex One and Apex One as a Service security agents allows a low-privileged attacker who already has code execution on the endpoint to elevate to higher privileges by abusing a named pipe that fails to validate the origin of incoming connections. The flaw is companion to CVE-2026-34927 (a sibling issue in a different named pipe) and currently has no public exploit identified at time of analysis, but its presence in widely-deployed endpoint security software materially raises post-compromise risk.

Technical ContextAI

The vulnerability sits in the inter-process communication layer of the Apex One/SEP endpoint agent, which uses Windows named pipes to broker requests between low-privileged client components and privileged service components (typically running as SYSTEM). The root cause maps to CWE-346 (Origin Validation Error): the privileged pipe server does not adequately verify the identity or trust level of the connecting peer before honoring its requests, so any local process able to open the pipe can impersonate a legitimate client. Per the CPE data, both the on-premise Apex One 2019 (14.0) build line and the SaaS-managed Apex One as a Service deployment share the affected code path. Trend Micro disclosed this as a parallel finding to CVE-2026-34927, indicating multiple pipes in the agent share the same trust-boundary weakness.

RemediationAI

Vendor-released patch: upgrade on-premise Apex One 2019 to build 14.0.0.17079 or later; Apex One as a Service tenants are remediated by the vendor at build 14.0.20731 (verify the customer console reflects the upgraded build). Patch details and download instructions are in Trend Micro KA-0023430 (https://success.trendmicro.com/en-US/solution/KA-0023430). Until the agent build is updated, compensating controls are limited because the vulnerable pipe is part of the security agent itself - restrict who can log into endpoints interactively or run code at low privilege (tighten AppLocker/WDAC, remove unnecessary local accounts, enforce LAPS and MFA on assisted-logon paths), and monitor for anomalous named-pipe connections to Trend Micro service pipes via Sysmon event ID 17/18 or EDR equivalent. Disabling or stopping the agent is not a viable workaround as it removes the endpoint protection itself; if absolutely required as a stopgap on isolated systems, compensate with host isolation and stricter network segmentation, accepting the loss of AV/EDR telemetry during that window.

Share

CVE-2026-34928 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy