Skip to main content

Trend Micro Apex One CVE-2026-45208

| EUVDEUVD-2026-31281 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-05-21 trendmicro GHSA-92rr-32pc-38g6
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 21, 2026 - 14:20 vuln.today
Patch available
May 21, 2026 - 14:02 EUVD

DescriptionCVE.org

A time-of-check time-of-use vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

AnalysisAI

Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileged code execution to win a race condition in the endpoint protection agent and elevate to higher privileges. The flaw is a time-of-check time-of-use (TOCTOU) weakness (CWE-367) in the Apex One/SEP agent on Windows endpoints, with no public exploit identified at time of analysis and not currently listed in CISA KEV. The vendor has published advisory KA-0023430 with fixed builds.

Technical ContextAI

Trend Micro Apex One is an enterprise endpoint protection platform whose agent runs as a privileged Windows service with helper components accessible to non-administrative users. CWE-367 (Time-of-Check Time-of-Use) describes a race condition where a privileged process validates a resource (file path, handle, symlink, registry value, or token) and then operates on it without re-validation, allowing a concurrent low-privileged attacker to swap the resource between the check and the use so the privileged operation acts on attacker-controlled input. The affected CPEs cover the on-premises product (TrendAI Apex One 2019, branch 14.0) and the SaaS-delivered agent (Apex One as a Service); both ship the same vulnerable agent code path that performs an unsafe check-then-use sequence in a security-sensitive operation executed with SYSTEM-level rights.

RemediationAI

Apply the vendor-released patches by upgrading on-premises Apex One 2019 to build 14.0.0.17079 or later and ensuring Apex One as a Service agents are running build 14.0.20731 or later, per Trend Micro advisory KA-0023430 (https://success.trendmicro.com/en-US/solution/KA-0023430); SaaS tenants should verify the back-end has rolled the update to their region and that managed agents have re-checked in. Until patches are deployed, restrict and monitor local interactive logon and remote desktop access to endpoints running Apex One (the attacker needs prior low-privileged code execution), enforce application allow-listing to limit untrusted binary execution, and review EDR telemetry for unexpected child processes spawned by Apex One agent services or file-system races against agent-owned paths - note that these are compensating controls only and do not remove the underlying race window. Avoid disabling or unloading the Apex One agent as a workaround because that removes the protection the host depends on.

Share

CVE-2026-45208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy