Skip to main content

Trend Micro Apex One CVE-2026-45207

| EUVDEUVD-2026-31279 HIGH
Origin Validation Error (CWE-346)
2026-05-21 trendmicro GHSA-v27h-98f7-4563
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 21, 2026 - 14:19 vuln.today
Patch available
May 21, 2026 - 14:02 EUVD

DescriptionCVE.org

An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45206 but exists in a different process protection communication mechanism.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

AnalysisAI

Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows an authenticated low-privileged user to elevate to higher privileges by abusing an origin validation flaw in one of the agent's process protection communication mechanisms. No public exploit identified at time of analysis, but the vulnerability is companion to CVE-2026-45206 in a parallel code path, which suggests the underlying class of issue is actively being researched by Trend Micro's own team.

Technical ContextAI

The flaw is rooted in CWE-346 (Origin Validation Error). The Apex One agent uses inter-process communication channels to enforce its self-protection and process protection features - privileged components accept commands or events from peer processes but fail to adequately verify that the originating process is actually the trusted Trend Micro component it claims to be. According to the advisory this is a distinct IPC/protection mechanism from the one corrected in CVE-2026-45206, meaning the agent exposes more than one trust boundary using the same flawed validation pattern. Affected CPEs identify both the on-premises product (cpe:2.3:a:trend_micro,_inc.:trendai_apex_one) and the SaaS variant (trendai_apex_one_as_a_service).

RemediationAI

Vendor-released patch: upgrade Apex One 2019 on-premises agents to build 14.0.0.17079 or later; Apex One as a Service customers should ensure their tenant has been migrated to build 14.0.20731 or later (Trend Micro typically rolls SaaS fixes automatically but admins should verify via the management console). Refer to Trend Micro solution article KA-0023430 at https://success.trendmicro.com/en-US/solution/KA-0023430 for deployment guidance. Because exploitation requires prior low-privileged code execution on the endpoint, compensating controls until patching completes include restricting interactive logon and code-execution rights on Apex One-protected endpoints (application control, AppLocker/WDAC, removing local Users from RDP/interactive groups) and tightening EDR alerts on tampering with Trend Micro service processes; note these controls reduce but do not eliminate exposure on multi-user systems and may break legitimate user workflows on shared workstations.

Share

CVE-2026-45207 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy