Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45206 but exists in a different process protection communication mechanism.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
AnalysisAI
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows an authenticated low-privileged user to elevate to higher privileges by abusing an origin validation flaw in one of the agent's process protection communication mechanisms. No public exploit identified at time of analysis, but the vulnerability is companion to CVE-2026-45206 in a parallel code path, which suggests the underlying class of issue is actively being researched by Trend Micro's own team.
Technical ContextAI
The flaw is rooted in CWE-346 (Origin Validation Error). The Apex One agent uses inter-process communication channels to enforce its self-protection and process protection features - privileged components accept commands or events from peer processes but fail to adequately verify that the originating process is actually the trusted Trend Micro component it claims to be. According to the advisory this is a distinct IPC/protection mechanism from the one corrected in CVE-2026-45206, meaning the agent exposes more than one trust boundary using the same flawed validation pattern. Affected CPEs identify both the on-premises product (cpe:2.3:a:trend_micro,_inc.:trendai_apex_one) and the SaaS variant (trendai_apex_one_as_a_service).
RemediationAI
Vendor-released patch: upgrade Apex One 2019 on-premises agents to build 14.0.0.17079 or later; Apex One as a Service customers should ensure their tenant has been migrated to build 14.0.20731 or later (Trend Micro typically rolls SaaS fixes automatically but admins should verify via the management console). Refer to Trend Micro solution article KA-0023430 at https://success.trendmicro.com/en-US/solution/KA-0023430 for deployment guidance. Because exploitation requires prior low-privileged code execution on the endpoint, compensating controls until patching completes include restricting interactive logon and code-execution rights on Apex One-protected endpoints (application control, AppLocker/WDAC, removing local Users from RDP/interactive groups) and tightening EDR alerts on tampering with Trend Micro service processes; note these controls reduce but do not eliminate exposure on multi-user systems and may break legitimate user workflows on shared workstations.
More in Trendai Apex One
View allDirectory traversal in Trend Micro Apex One on-premise server (versions before 14.0.0.17079) enables a highly privileged
Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileg
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows low-privileged attackers to elevate
Local privilege escalation in Trend Micro Apex One and Apex One as a Service stems from an origin validation weakness (C
Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileg
Local privilege escalation in Trend Micro Apex One and Apex One as a Service security agents allows a low-privileged att
Local privilege escalation in Trend Micro Apex One (on-premises 2019/14.0) and Apex One as a Service allows a low-privil
Same weakness CWE-346 – Origin Validation Error
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31279
GHSA-v27h-98f7-4563