Skip to main content

Trend Micro Apex One CVE-2026-34930

| EUVDEUVD-2026-31282 HIGH
Origin Validation Error (CWE-346)
2026-05-21 trendmicro GHSA-w6rw-fq38-ch7g
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 21, 2026 - 14:16 vuln.today
Patch available
May 21, 2026 - 14:02 EUVD

DescriptionCVE.org

An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different process protection mechanism.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

AnalysisAI

Local privilege escalation in Trend Micro Apex One and Apex One as a Service stems from an origin validation weakness (CWE-346) in one of the agent's process protection mechanisms, allowing a low-privileged local attacker to elevate to SYSTEM-level privileges on affected installations. The flaw was reported by Trend Micro itself and is a sibling issue to CVE-2026-34927, which affects a different process protection mechanism in the same agent. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

Apex One is Trend Micro's enterprise endpoint protection platform, which runs a privileged agent service on Windows hosts to provide anti-malware, behavior monitoring, and process protection. CWE-346 (Origin Validation Error) means the agent accepts requests or signals from a calling process without sufficiently verifying that the caller is actually a trusted Trend Micro component. Because the affected mechanism is one of the agent's self/process protection subsystems, a non-trusted local process can masquerade as authorized and invoke a protected code path that runs in the agent's SYSTEM context. The affected CPEs are cpe:2.3:a:trend_micro,_inc.:trendai_apex_one and cpe:2.3:a:trend_micro,_inc.:trendai_apex_one_as_a_service, covering both the on-premises and SaaS-managed agent deployments.

RemediationAI

Apply the vendor-released patch by upgrading Apex One 2019 (14.0) on-premises agents to 14.0.0.17079 or later and ensuring Apex One as a Service tenants are on 14.0.20731 or later, as listed in EUVD-2026-31282 and the Trend Micro advisory at https://success.trendmicro.com/en-US/solution/KA-0023430. SaaS customers typically receive the update automatically from the management console, but administrators should confirm agent build numbers on managed endpoints after the maintenance window. Because exploitation requires prior low-privileged code execution on the endpoint, interim compensating controls include enforcing application allow-listing or AppLocker/WDAC policies to limit unauthorized local code execution, restricting interactive logon to trusted users, and monitoring for anomalous child processes of the Apex One agent service - these reduce the pool of attackers who can stage the prerequisite local foothold but do not remove the underlying origin validation defect.

Share

CVE-2026-34930 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy