Description
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.


This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.
Published: 2026-05-21
Score: 6.7 Medium
EPSS: n/a
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

A directory traversal flaw in the Trend Micro Apex One on‑premise server lets a local attacker who already has administrative credentials modify a system key table. By altering the table the attacker can inject malicious code that will be automatically deployed to all connected Trend AI agents, giving attackers code execution capability on those endpoints. The weakness is a classic directory traversal (CWE‑23), which allows the attacker to manipulate file paths beyond intended boundaries, resulting in unauthorized file modification and execution.

Affected Systems

The vulnerability affects Trend Micro Apex One on‑premise servers running version 14.0.0.17079. The Apex One as a Service version is not vulnerable but the on‑premise deployment is. The flaw is only exploitable when the attacker has already gained local administrative access to the Apex One server via other means.

Risk and Exploitability

The CVSS score of 6.7 indicates moderate severity. EPSS data are not available, and the flaw is listed in the CISA KEV catalog. The attack requires a pre‑authenticated local attacker with administrative privileges, so the likelihood of exploitation depends on the security of the Apex One server environment and the difficulty of obtaining those credentials. Once the attacker can modify the key table, any code deployed to agents is executed with the agent’s privileges, potentially compromising the entire managed fleet.

Generated by OpenCVE AI on May 21, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Trend Micro Apex One security update that removes the directory traversal vulnerability.
  • Revoke or limit administrative access to the Apex One server to only trusted personnel and enforce strong authentication methods.
  • Enable logging and monitoring on the Apex One server to alert on unexpected modifications to key tables or launch of unknown processes on agents.

Generated by OpenCVE AI on May 21, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Directory Traversal in Trend Micro Apex One Server Enabling Local Code Deployment

Thu, 21 May 2026 20:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-05-21T00:00:00+00:00', 'dueDate': '2026-06-04T00:00:00+00:00'}

Thu, 21 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title Directory Traversal in Trend Micro Apex One Server Enabling Local Code Deployment

Thu, 21 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.
First Time appeared Trendmicro
Trendmicro apexone Op
Trendmicro apexone Saas
Weaknesses CWE-23
CPEs cpe:2.3:a:trendmicro:apexone_op:14.0.0.17079:*:*:*:*:*:*:*
cpe:2.3:a:trendmicro:apexone_saas:14.0.0.20731:*:*:*:*:*:*:*
Vendors & Products Trendmicro
Trendmicro apexone Op
Trendmicro apexone Saas
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Trendmicro Apexone Op Apexone Saas
cve-icon MITRE

Status: PUBLISHED

Assigner: trendmicro

Published:

Updated: 2026-05-21T22:20:24.193Z

Reserved: 2026-03-31T17:22:13.504Z

Link: CVE-2026-34926

cve-icon Vulnrichment

Updated: 2026-05-21T13:50:37.989Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-21T14:16:45.213

Modified: 2026-05-21T20:16:14.027

Link: CVE-2026-34926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T21:00:16Z

Weaknesses