The endpoint security software meant to protect enterprise networks from attackers has itself become a target. Trend Micro has patched a zero-day vulnerability in Apex One — its flagship corporate endpoint protection platform — after its own incident response team caught threat actors actively exploiting the flaw against Windows systems.
Tracked as CVE-2026-34926, the vulnerability is a directory traversal flaw (a weakness that lets attackers access files and directories outside intended boundaries) in the Apex One on-premises server.
A local attacker who has already obtained admin credentials can exploit it to tamper with a core server table and silently push malicious code out to all endpoint agents deployed across the organization — effectively hijacking the security infrastructure itself to distribute malware.
The attack does carry prerequisites: the target must be running the on-premise version of Apex One, and the attacker must already hold administrative access to the server. That said, those conditions are far from theoretical — TrendAI's incident response team, which discovered the vulnerability, confirmed at least one real-world exploitation attempt before the patch was even released.
CISA has added CVE-2026-34926 to its Known Exploited Vulnerabilities (KEV) catalog and ordered all U.S. federal agencies to apply fixes no later than June 4.
The same update bundle addresses seven additional high-severity local privilege escalation flaws (CVE-2026-34927 through 34930 and CVE-2026-45206 through 45208), all carrying CVSS scores of 7.8. These were reported by researcher Lays (@_L4ys) of TRAPA Security through Trend Micro's Zero Day Initiative program. Each flaw exploits origin validation errors across different inter-process communication mechanisms in the Apex One agent.
Apex One has been exploited in zero-day attacks repeatedly — in August 2025, September 2023, and September 2022. SecurityWeek notes that some past Apex One attacks have been attributed to Chinese state-sponsored APT groups, and given the level of access required to trigger CVE-2026-34926, a sophisticated threat actor is the most plausible culprit here, too.
What you should do now:
- On-premises Apex One SP1 users should update to CP Build 18012 (or 17079 for fresh installs)
- SaaS and Vision One SEP customers need Security Agent build 14.0.20731 or later
- Review who has remote administrative access to your Apex One server and audit perimeter policies immediately