Description
A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).
Published: 2026-05-21
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A time‑of‑check time‑of‑use flaw in the iCore service’s signature verification can let a local attacker who can already run low‑privilege code bypass integrity checks and elevate to higher privileges. The flaw allows the attacker to modify signature data between verification and use, resulting in elevated authority on the host. The problem is bounded to situations where the attacker can execute arbitrary code locally and does not involve network exploitation.

Affected Systems

Trend Micro Apex One for macOS, iCore service on macOS. No specific version range is listed, but the issue was corrected in the 2025 ActiveUpdate/SaaS releases (SaaS 2507 and the 2005 Yearly Release). Systems running prior builds remain vulnerable until updated.

Risk and Exploitability

The CVSS score of 7 reflects medium severity. EPSS is not available and the vulnerability is not in CISA KEV, suggesting no widespread exploitation has been observed. However, because the attack requires local code execution, the risk is limited to environments where a user or process can already run arbitrary code, but the potential for privilege escalation remains serious. Organizations should treat the vulnerability as high risk if such preconditions exist.

Generated by OpenCVE AI on May 21, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Trend Micro Apex One update for macOS (SaaS 2507 or the 2005 Yearly Release) which includes the signature‑verification fix.
  • Verify that the ActiveUpdate service is enabled so the client receives automatic patching.
  • Until the update is applied, restrict local users from executing arbitrary code and monitor local process activity for suspicious activity to mitigate the precondition.

Generated by OpenCVE AI on May 21, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Trendmicro
Trendmicro apexone Op
Vendors & Products Trendmicro
Trendmicro apexone Op

Thu, 21 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Signature Verification TOCTOU in Trend Micro Apex One Mac Agent Local Privilege Escalation via TOCTOU in Trend Micro Apex One Mac Agent

Thu, 21 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Signature Verification TOCTOU in Trend Micro Apex One Mac Agent

Thu, 21 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).
References

Subscriptions

Trendmicro Apexone Op
cve-icon MITRE

Status: PUBLISHED

Assigner: trendmicro

Published:

Updated: 2026-05-21T14:02:05.059Z

Reserved: 2026-02-11T16:33:44.102Z

Link: CVE-2025-71215

cve-icon Vulnrichment

Updated: 2026-05-21T14:01:45.774Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-21T14:16:44.130

Modified: 2026-05-21T15:16:21.843

Link: CVE-2025-71215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:38:40Z

Weaknesses