🟢 CVE-2026-34926

A directory traversal vulnerability in Trend Micro Apex One on-premise servers allows pre-authenticated local attackers with administrative credentials to inject malicious code for deployment to agents. This requires local access to the server and existing admin credentials, making it a privilege escalation rather than initial access vector.

← Back to Overview
LOW_RISK
Risk Level
6.7
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 — Exploitation for Privilege Escalation
ATT&CK Technique
MEDIUM
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2026-05-21

Added to CISA KEV: 2026-05-21 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2026-34926 is a critical directory traversal vulnerability affecting the on-premise version of Trend Micro Apex One [4].

Below is a summary of the known details regarding this vulnerability:

Active Exploitation and Threat Actor Usage
  • Status: The vulnerability has been confirmed as actively exploited in the wild [7].
  • CISA Action: Due to evidence of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 21, 2026 [3].
Attack Method and Requirements
  • Attack Vector: This is a directory traversal vulnerability [5].
  • Requirements: Exploitation requires the attacker to be a local user who already possesses administrative credentials on the Apex One server [1]. It is not an unauthenticated remote exploit.
Impact and Access
  • Impact: Successful exploitation allows an attacker to modify a key system table on the server [6].
  • Consequence: By altering this table, an attacker can inject malicious code that is then automatically deployed to all connected Trend AI agents. This grants the attacker code execution capabilities across the endpoints managed by the compromised server [1].
Ransomware and Targeted Attacks
  • While the vulnerability is being exploited in the wild, specific details linking it to named ransomware groups or specific targeted campaigns have not been publicly detailed in the initial security advisories. However, the ability to push code to all managed endpoints makes it a high-value target for attackers looking to deploy malware or ransomware across an entire enterprise network.
Proof-of-Concept and Exploit Availability
  • As of June 4, 2026, there are no widespread public reports of a functional, weaponized exploit script being available in public repositories, though the fact that it is being actively exploited indicates that threat actors have developed the necessary exploit code.
Affected Versions and Mitigation
  • Affected Product: Trend Micro Apex One (on-premise) [5].
  • Status: TrendAI released updates to address this vulnerability on May 21, 2026 [2].
  • Recommendation: Organizations using the on-premise version of Apex One should apply the latest patches provided by Trend Micro immediately to mitigate the risk of exploitation [2].

Sources

  1. CVE-2026-34926 - Vulnerability Details - OpenCVE

    A directory traversal flaw in the Trend Micro Apex One on‑premise server lets a local attacker who already has administrative credentials modify a system key table. By altering the table the attacker can inject malicious code that will be automatically deployed to all connected Trend AI agents, givi…

  2. Apex One and Vision One – Standard Endpoint Protection (SEP) May 2026 ...

    Release Date: May 21, 2026 CVE Identifiers: CVE-2026-34926 through 34930 and CVE-2026-45206 through 45208 Platform: Windows CVSS 3.1 Score (s): 6.7-7.8 Severity Rating (s): MEDIUM - HIGH TrendAI has released updates to Apex One (on-premise), Apex One as a Service and Vision One - Standard Endpoint P…

  3. CISA Adds Two Known Exploited Vulnerabilities to Catalog

    CVE-2025-34291 Langflow Origin Validation Error Vulnerability; CVE-2026-34926 Trend Micro Apex One (On-Premise) Directory Traversal ...

  4. CVE-2026-34926 Detail - NVD

    Description. A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to ... Official websites use .gov A .gov website belongs to an official government organization in the United States.

  5. CVE-2026-34926 - Trend Micro Apex One (On-Premise) Directory ...

    CVE-2026-34926 identifies a critical path-sanitization flaw within the centralized architecture of Trend Micro Apex One (specifically ...

  6. CVE-2026-34926 - GitHub Advisory Database

    GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects. ... A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the serve…

  7. TrendAI Patches Apex One Zero-Day Exploited in the Wild

    TrendA has informed customers that it has patched CVE-2026-34926, another Apex One vulnerability that has been exploited in the wild.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed