US Public Data LabU.S. public data, made readable
EN
日本語 English
Medium Known exploited (KEV) CVE-2026-34926

Directory traversal in Trend Micro Apex One (CVE-2026-34926) — risk of deploying malicious code to agents

Trend Micro Apex One Added to KEV May 21, 2026 Federal remediation due 2026-06-04

Trend Micro Apex One (on-premise), an endpoint-protection product, has a directory-traversal vulnerability that could let a pre-authenticated local attacker modify a key table on the server to inject malicious code and deploy it to agents. CISA listed it as known-exploited (KEV) (CVSS 6.7 Medium).

Key facts

  • CVE IDCVE-2026-34926
  • CVSS base score6.7 MEDIUM
  • CVSS vectorCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
  • Affected (vendor / product)Trend Micro Apex One
  • CWECWE-23
  • ExploitationListed in CISA KEV (exploitation confirmed)
  • Remediation due2026-06-04 (U.S. federal civilian agencies, BOD 22-01)

Key points

  • Directory traversal (CWE-23) in Trend Micro Apex One (on-premise EPP)
  • A pre-authenticated local attacker modifies a key table → risk of deploying malicious code to agents
  • CVSS is 6.7 (Medium; local/high complexity), but impact is large via management-server-to-endpoints spread
  • A security-product vulnerability — "the cornerstone of defense can become an attack channel"
  • Response: fix per vendor; review management-server access control and agent deployments

CVE-2026-34926 is a directory-traversal vulnerability (CWE-23) in Trend Micro Apex One (the on-premise enterprise endpoint-protection — EPP — product). It was added to CISA's KEV catalog on May 21, 2026.

Per NVD, a pre-authenticated local attacker could modify a key table on the server to inject malicious code and deploy it to agents on affected installations. It is rated moderate because it requires local access and high attack complexity, but what makes this important is that malicious code can spread from the management server to many agents (endpoints).

Endpoint-protection products are meant to defend endpoints; when their management server is abused, "the cornerstone of defense becomes a distribution channel for attacks." It is also an example of the recent trend of vulnerabilities in security products themselves being exploited.

Key response: apply fixes/mitigations per Trend Micro's official instructions. For cloud use, follow BOD 22-01. Reviewing access control to the management server and checking for suspicious agent deployments are also recommended. The federal civilian remediation deadline was June 4, 2026.

Why it matters

A case where an endpoint-protection (EPP) management server can become a channel for deploying malicious code to endpoints. Organizations running security products should prioritize prompt updates of the products themselves and access control of the management server. It shows the trend of attacks targeting "the cornerstone of defense."

FAQ

What is Apex One?
Trend Micro's enterprise endpoint-protection (EPP) product. Its management server controls many endpoints (agents).
Why does a medium CVSS matter?
It requires local access and high attack complexity, so the score is 6.7, but the practical impact is large because malicious code can spread from the management server to many agents — and CISA confirms exploitation.
What should I do?
Apply fixes/mitigations per Trend Micro, review access control to the management server, and check for suspicious agent deployments.

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

#Trend Micro#Apex One#Endpoint protection#Directory traversal

← Back to vulnerability alerts

Disclaimer: This site independently summarizes and classifies information based on official data sources. Always verify the latest and accurate information with the official sources. Content on finance, health, legal, and security is information, not advice. This site is not an official website of the U.S. government.