Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different inter-process communication mechanism.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
AnalysisAI
Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileged code execution to gain elevated rights by exploiting weak origin validation in an inter-process communication channel. No public exploit identified at time of analysis, but the flaw is a sibling to CVE-2026-34927 (different IPC mechanism in the same agent) which raises the likelihood of researcher and adversary interest. Vendor patches are available for both the on-prem 2019 (14.0) line and the SaaS offering.
Technical ContextAI
The defect is classified as CWE-346 (Origin Validation Error). The Apex One/SEP endpoint agent exposes one or more IPC endpoints (named pipes, RPC, or LPC channels typical of Windows endpoint security agents) that other components on the host use to request privileged operations. When the agent receives a request, it fails to correctly verify the identity, token, or process integrity level of the caller, so a low-privileged local process can impersonate or masquerade as a trusted client and have privileged operations performed on its behalf. The vulnerability affects the TrendAI Apex One product line per the supplied CPE strings (cpe:2.3:a:trend_micro,_inc.:trendai_apex_one and trendai_apex_one_as_a_service), which run as SYSTEM-level services on Windows endpoints, making any origin-check bypass a direct route from user to SYSTEM.
RemediationAI
Apply the vendor-released patches: upgrade on-prem Apex One 2019 (14.0) to build 14.0.0.17079 or later, and ensure Apex One as a Service tenants are on build 14.0.20731 or later (SaaS customers should verify the agent build pushed to endpoints rather than assume the back-end upgrade carries through). The Trend Micro advisory at https://success.trendmicro.com/en-US/solution/KA-0023430 is the authoritative source for fix details. As the vulnerability requires prior low-privileged code execution, compensating controls until patching completes include restricting interactive logon and shell access on Apex One-protected servers to administrators only, enforcing application allowlisting (Windows Defender Application Control or equivalent) on user-writable directories to prevent low-privileged code execution in the first place, and monitoring for unexpected child processes of the Apex One agent service or anomalous IPC clients connecting to its named pipes - note that aggressive allowlisting can break legitimate developer and admin tooling, and pipe-level monitoring requires Sysmon or an EDR with IPC visibility.
More in Trendai Apex One
View allDirectory traversal in Trend Micro Apex One on-premise server (versions before 14.0.0.17079) enables a highly privileged
Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileg
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows an authenticated low-privileged user
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows low-privileged attackers to elevate
Local privilege escalation in Trend Micro Apex One and Apex One as a Service stems from an origin validation weakness (C
Local privilege escalation in Trend Micro Apex One and Apex One as a Service security agents allows a low-privileged att
Local privilege escalation in Trend Micro Apex One (on-premises 2019/14.0) and Apex One as a Service allows a low-privil
Same weakness CWE-346 – Origin Validation Error
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31280
GHSA-ff4m-qxjh-q4cw