Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A time-of-check time-of-use vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
AnalysisAI
Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileged code execution to win a race condition in the endpoint protection agent and elevate to higher privileges. The flaw is a time-of-check time-of-use (TOCTOU) weakness (CWE-367) in the Apex One/SEP agent on Windows endpoints, with no public exploit identified at time of analysis and not currently listed in CISA KEV. The vendor has published advisory KA-0023430 with fixed builds.
Technical ContextAI
Trend Micro Apex One is an enterprise endpoint protection platform whose agent runs as a privileged Windows service with helper components accessible to non-administrative users. CWE-367 (Time-of-Check Time-of-Use) describes a race condition where a privileged process validates a resource (file path, handle, symlink, registry value, or token) and then operates on it without re-validation, allowing a concurrent low-privileged attacker to swap the resource between the check and the use so the privileged operation acts on attacker-controlled input. The affected CPEs cover the on-premises product (TrendAI Apex One 2019, branch 14.0) and the SaaS-delivered agent (Apex One as a Service); both ship the same vulnerable agent code path that performs an unsafe check-then-use sequence in a security-sensitive operation executed with SYSTEM-level rights.
RemediationAI
Apply the vendor-released patches by upgrading on-premises Apex One 2019 to build 14.0.0.17079 or later and ensuring Apex One as a Service agents are running build 14.0.20731 or later, per Trend Micro advisory KA-0023430 (https://success.trendmicro.com/en-US/solution/KA-0023430); SaaS tenants should verify the back-end has rolled the update to their region and that managed agents have re-checked in. Until patches are deployed, restrict and monitor local interactive logon and remote desktop access to endpoints running Apex One (the attacker needs prior low-privileged code execution), enforce application allow-listing to limit untrusted binary execution, and review EDR telemetry for unexpected child processes spawned by Apex One agent services or file-system races against agent-owned paths - note that these are compensating controls only and do not remove the underlying race window. Avoid disabling or unloading the Apex One agent as a workaround because that removes the protection the host depends on.
More in Trendai Apex One
View allDirectory traversal in Trend Micro Apex One on-premise server (versions before 14.0.0.17079) enables a highly privileged
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows an authenticated low-privileged user
Local privilege escalation in Trend Micro Apex One and Apex One as a Service allows low-privileged attackers to elevate
Local privilege escalation in Trend Micro Apex One and Apex One as a Service stems from an origin validation weakness (C
Local privilege escalation in Trend Micro Apex One and Apex One as a Service agents allows an attacker with low-privileg
Local privilege escalation in Trend Micro Apex One and Apex One as a Service security agents allows a low-privileged att
Local privilege escalation in Trend Micro Apex One (on-premises 2019/14.0) and Apex One as a Service allows a low-privil
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31281
GHSA-92rr-32pc-38g6