CISA Warns of Exploited Trend Micro Apex One Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Trend Micro Apex One vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that the flaw is being actively exploited in the wild.

The vulnerability, tracked as CVE-2026-34926, affects Trend Micro Apex One on-premise deployments and exposes enterprise environments to potential agent-level code injection.

Trend Micro Apex One Flaw

CVE-2026-34926 refers to a directory traversal flaw (CWE-23) in the Apex One on-premise server component.

A pre-authenticated local attacker can exploit the vulnerability to modify a key table on the server and inject malicious code, which is then pushed to managed agents deployed across the network, said CISA.

Trend Micro’s own Incident Response (IR) Team discovered and reported the flaw, and the vendor has confirmed observing at least one exploitation attempt in the wild (ITW).

The vulnerability carries a CVSSv3.1 score of 6.7, reflecting the high-complexity attack conditions and the requirement that an attacker must already have obtained administrative credentials through a separate method before exploiting the traversal path.

Product	Affected Version	Fixed Build	Platform
Apex One (On-Premise)	2019 builds below 17079	SP1 CP Build 18012 (existing SP1) / Build 17079 (new installs)	Windows
Apex One as a Service / Vision One SEP	Agent builds below 14.0.20731	Agent Build 14.0.20731	Windows

Note: The initial CP 17079 Critical Patch was temporarily withdrawn due to an unrelated issue and replaced by CP Build 18012 for existing SP1 users. Organizations that applied 17079 previously remain protected.

Security product vulnerabilities have an amplified blast radius compared to those in standard enterprise applications.

Apex One’s on-premises management console holds a privileged position, controlling security policy distribution, agent updates, and endpoint patching across entire Windows fleets.

An attacker who successfully abuses the traversal flaw and injects malicious code gains a propagation vector to every managed endpoint in the organization, effectively weaponizing the defender’s own infrastructure.

CISA’s inclusion of CVE-2026-34926 in the KEV catalog confirms evidence of active exploitation in enterprise environments.

Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are mandated to apply vendor-recommended mitigations or discontinue use of the affected product by June 4, 2026.

While ransomware campaign ties remain unconfirmed at this stage, the nature of the vulnerability that allows silent code injection into distributed agents makes it an attractive tool for ransomware operators and APT groups seeking broad lateral movement across enterprise endpoints.

Mitigation

CISA recommends organizations take immediate action:

• Apply patches from Trend Micro per the vendor’s official advisory for Apex One on-premise installations
• Follow BOD 22-01 guidance for any cloud service variants of Apex One
• Discontinue use of the product if patches or mitigations cannot be applied within the remediation window
• Audit agent deployments for signs of unauthorized code or configuration changes pushed from the server

Organizations running Trend Micro Apex One in on-premises configurations should treat this as a high-priority remediation item, given that the pre-authentication requirement significantly lowers the exploitation barrier.

Security teams are advised to review endpoint telemetry for anomalous agent behavior that could indicate post-exploitation activity.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post CISA Warns of Exploited Trend Micro Apex One Flaw appeared first on Cyber Security News.