Skip to main content

Trend Micro Apex One CVE-2026-45206

| EUVDEUVD-2026-31278 HIGH
Origin Validation Error (CWE-346)
2026-05-21 trendmicro GHSA-3m5q-2hhf-3c5f
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 21, 2026 - 14:17 vuln.today
Patch available
May 21, 2026 - 14:02 EUVD

DescriptionCVE.org

An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45207 but exists in a different process protection communication mechanism.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

AnalysisAI

Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows low-privileged attackers to elevate to higher privileges by abusing an origin validation weakness (CWE-346) in one of the agent's process protection communication mechanisms. The flaw is a sibling issue to CVE-2026-45207 affecting a different IPC channel and is reported by Trend Micro itself; no public exploit identified at time of analysis and the CVE is not on CISA KEV.

Technical ContextAI

Apex One (formerly OfficeScan) is Trend Micro's endpoint security suite that includes a kernel-assisted self-protection layer designed to keep malware from tampering with the agent. That layer relies on inter-process communication between privileged services (such as TmListen / NTRtScan) and helper components, and it must verify that incoming requests genuinely originate from a trusted Trend Micro process. CWE-346 (Origin Validation Error) indicates the affected IPC endpoint trusts caller identity without sufficient cryptographic or kernel-mediated verification - for example, relying on process name, window handle, or a forgeable token - allowing an unprivileged local process to impersonate a trusted client. The CPE strings list both the on-premises Apex One 2019 (14.0) build and the Apex One as a Service SaaS-managed agent as affected.

RemediationAI

Apply the vendor-released patch: upgrade on-premises Apex One 2019 (14.0) agents to build 14.0.0.17079 or later, and for Apex One as a Service confirm the cloud-managed agent is updated to build 14.0.20731 or later (SaaS tenants typically receive this push automatically but should verify rollout in the management console). The vendor advisory at https://success.trendmicro.com/en-US/solution/KA-0023430 details the deployment steps. Because the prerequisite is local code execution by a low-privileged user, interim compensating controls include restricting interactive logon and execution on endpoints to trusted accounts, enforcing application allowlisting (Windows Defender Application Control or AppLocker) to block arbitrary low-privileged binaries from running, and monitoring for unusual processes communicating with TmListen / Apex One agent services; these controls reduce risk but do not close the IPC origin-validation gap and may break legitimate tooling on developer or admin workstations.

Share

CVE-2026-45206 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy