Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45207 but exists in a different process protection communication mechanism.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
AnalysisAI
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows low-privileged attackers to elevate to higher privileges by abusing an origin validation weakness (CWE-346) in one of the agent's process protection communication mechanisms. The flaw is a sibling issue to CVE-2026-45207 affecting a different IPC channel and is reported by Trend Micro itself; no public exploit identified at time of analysis and the CVE is not on CISA KEV.
Technical ContextAI
Apex One (formerly OfficeScan) is Trend Micro's endpoint security suite that includes a kernel-assisted self-protection layer designed to keep malware from tampering with the agent. That layer relies on inter-process communication between privileged services (such as TmListen / NTRtScan) and helper components, and it must verify that incoming requests genuinely originate from a trusted Trend Micro process. CWE-346 (Origin Validation Error) indicates the affected IPC endpoint trusts caller identity without sufficient cryptographic or kernel-mediated verification - for example, relying on process name, window handle, or a forgeable token - allowing an unprivileged local process to impersonate a trusted client. The CPE strings list both the on-premises Apex One 2019 (14.0) build and the Apex One as a Service SaaS-managed agent as affected.
RemediationAI
Apply the vendor-released patch: upgrade on-premises Apex One 2019 (14.0) agents to build 14.0.0.17079 or later, and for Apex One as a Service confirm the cloud-managed agent is updated to build 14.0.20731 or later (SaaS tenants typically receive this push automatically but should verify rollout in the management console). The vendor advisory at https://success.trendmicro.com/en-US/solution/KA-0023430 details the deployment steps. Because the prerequisite is local code execution by a low-privileged user, interim compensating controls include restricting interactive logon and execution on endpoints to trusted accounts, enforcing application allowlisting (Windows Defender Application Control or AppLocker) to block arbitrary low-privileged binaries from running, and monitoring for unusual processes communicating with TmListen / Apex One agent services; these controls reduce risk but do not close the IPC origin-validation gap and may break legitimate tooling on developer or admin workstations.
More in Trendai Apex One
View allDirectory traversal in Trend Micro Apex One on-premise server (versions before 14.0.0.17079) enables a highly privileged
Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileg
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows an authenticated low-privileged user
Local privilege escalation in Trend Micro Apex One and Apex One as a Service stems from an origin validation weakness (C
Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileg
Local privilege escalation in Trend Micro Apex One and Apex One as a Service security agents allows a low-privileged att
Local privilege escalation in Trend Micro Apex One (on-premises 2019/14.0) and Apex One as a Service allows a low-privil
Same weakness CWE-346 – Origin Validation Error
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31278
GHSA-3m5q-2hhf-3c5f