Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different named pipe communication mechanism.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
AnalysisAI
Local privilege escalation in Trend Micro Apex One and Apex One as a Service security agents allows a low-privileged attacker who already has code execution on the endpoint to elevate to higher privileges by abusing a named pipe that fails to validate the origin of incoming connections. The flaw is companion to CVE-2026-34927 (a sibling issue in a different named pipe) and currently has no public exploit identified at time of analysis, but its presence in widely-deployed endpoint security software materially raises post-compromise risk.
Technical ContextAI
The vulnerability sits in the inter-process communication layer of the Apex One/SEP endpoint agent, which uses Windows named pipes to broker requests between low-privileged client components and privileged service components (typically running as SYSTEM). The root cause maps to CWE-346 (Origin Validation Error): the privileged pipe server does not adequately verify the identity or trust level of the connecting peer before honoring its requests, so any local process able to open the pipe can impersonate a legitimate client. Per the CPE data, both the on-premise Apex One 2019 (14.0) build line and the SaaS-managed Apex One as a Service deployment share the affected code path. Trend Micro disclosed this as a parallel finding to CVE-2026-34927, indicating multiple pipes in the agent share the same trust-boundary weakness.
RemediationAI
Vendor-released patch: upgrade on-premise Apex One 2019 to build 14.0.0.17079 or later; Apex One as a Service tenants are remediated by the vendor at build 14.0.20731 (verify the customer console reflects the upgraded build). Patch details and download instructions are in Trend Micro KA-0023430 (https://success.trendmicro.com/en-US/solution/KA-0023430). Until the agent build is updated, compensating controls are limited because the vulnerable pipe is part of the security agent itself - restrict who can log into endpoints interactively or run code at low privilege (tighten AppLocker/WDAC, remove unnecessary local accounts, enforce LAPS and MFA on assisted-logon paths), and monitor for anomalous named-pipe connections to Trend Micro service pipes via Sysmon event ID 17/18 or EDR equivalent. Disabling or stopping the agent is not a viable workaround as it removes the endpoint protection itself; if absolutely required as a stopgap on isolated systems, compensate with host isolation and stricter network segmentation, accepting the loss of AV/EDR telemetry during that window.
More in Trendai Apex One
View allDirectory traversal in Trend Micro Apex One on-premise server (versions before 14.0.0.17079) enables a highly privileged
Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileg
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows an authenticated low-privileged user
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows low-privileged attackers to elevate
Local privilege escalation in Trend Micro Apex One and Apex One as a Service stems from an origin validation weakness (C
Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileg
Local privilege escalation in Trend Micro Apex One (on-premises 2019/14.0) and Apex One as a Service allows a low-privil
Same weakness CWE-346 – Origin Validation Error
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31286
GHSA-74v9-v9f7-f4p8