CISA Warns of Actively Exploited Trend Micro Apex One Bug
▼ Summary
– Trend Micro confirmed that CVE-2026-34926, a relative directory path traversal vulnerability in Apex One, has been exploited in zero-day attacks.
– The vulnerability is only exploitable on the on-premise version of Apex One, requiring an attacker to already have administrative credentials to the server.
– Once exploited, the flaw lets an attacker modify a key table to inject malicious code onto security agents, turning a trusted distribution channel into a malware channel.
– Trend Micro urges customers to update on-prem Apex One server deployments and security agents, and to review remote access and administrative privileges.
– The US CISA added CVE-2026-34926 to its Known Exploited Vulnerabilities catalog, ordering federal civilian agencies to patch by June 4, 2026.
A critical security flaw in Trend Micro’s Apex One platform is already being weaponized in active attacks. Tracked as CVE-2026-34926, this relative directory path traversal vulnerability has been confirmed by the company as a zero-day exploit, with at least one confirmed attempt observed in the wild.
The incident was first flagged by Trend Micro’s own TrendAI enterprise cybersecurity unit, whose incident response team reported the exploitation. “TrendAI has observed at least one attempt to exploit this vulnerability in the wild,” the company stated, underscoring the seriousness of the threat.
What is Trend Micro Apex One? Trend Micro Apex One is an endpoint security platform designed to defend an organization’s entire fleet of devices. It uses lightweight agents installed on laptops, desktops, and servers to silently monitor for threats and automatically block or quarantine suspicious activity. These agents report to a central server, giving IT teams a unified console to manage policies, investigate incidents, and maintain visibility across all endpoints.
Understanding CVE-2026-34926 Disclosed alongside seven other vulnerabilities in Apex One security agents, CVE-2026-34926 stands out as the only one confirmed to be actively exploited. However, exploitation is limited to the on-premise version of Apex One. The attack requires the adversary to already have administrative credentials to the Apex One Server, obtained through other means. Once inside, the vulnerability allows a “pre-authenticated local attacker” to modify a key table on the server, enabling them to inject malicious code that is then pushed to agents across the network. This effectively turns a trusted distribution channel into a potential malware delivery pipeline.
Immediate Steps for Protection Trend Micro has not yet released specific details about the attack its team responded to, but the company is urging all customers to update their on-premise Apex One server deployments and security agents without delay. “In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date,” the company added. Organizations should also verify that only authorized users have access and administrative privileges to the Apex One Server console.
For customers using Trend Micro Apex One as a Service and TrendAI Vision One Endpoint Security – Standard Endpoint Protection, the server-side vulnerabilities have already been patched by Trend Micro in April. However, security agent patches should still be implemented to close any remaining gaps.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-34926 to its Known Exploited Vulnerabilities catalog, and has ordered all US federal civilian agencies to apply the patches by June 4, 2026.
(Source: Help Net Security)
