Trend Micro Apex One, Directory Traversal, CVE-2026-34926 (Medium)

Listen to this Post

How the CVE Works

CVE-2026-34926 is a relative path traversal vulnerability (CWE-23) in the on-premise version of Trend Micro Apex One. The flaw exists because the Apex One server does not properly sanitize file paths when accessing server directories. A pre‑authenticated local attacker who has already obtained administrative credentials (via another method) can exploit this directory traversal bug to modify a key table on the server. By replacing or altering this key table, the attacker injects malicious code into the server’s internal data structures. Once modified, the key table is read during normal agent communication, causing the injected code to be deployed to all connected endpoint agents. Because the attack requires both local access and valid admin credentials, the CVSS attack vector is LOCAL, the attack complexity is HIGH, and privileges required are HIGH (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L). Trend Micro has observed at least one instance of active exploitation in the wild, and CISA added this vulnerability to its Known Exploited Vulnerabilities catalog on May 21, 2026. The on‑premise Apex One versions prior to 14.0.0.17079 are affected; the SaaS version is not vulnerable.

DailyCVE Form

Platform: Apex One
Version: On‑premise
Vulnerability: Directory Traversal
Severity: Medium
Date: 2026‑05‑21

Prediction: 2026‑06‑04

Analytics under heading What Undercode Say

CISA KEV required action date
curl -s "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" | grep -i "CVE-2026-34926"
Check Apex One version (Windows)
reg query "HKLM\SOFTWARE\TrendMicro\Apex One" /v Version
Search for directory traversal attempts in Apex One logs
find "C:\Program Files\Trend Micro\Apex One\Log" -name ".log" -exec grep -i ".." {} \;

Exploit

Pre‑auth local attacker with admin creds uses path traversal (e.g., ../../../../path/to/keytable) to overwrite server key table, injecting malicious payload that gets deployed to all agents.

Protection from this CVE

Apply the official Trend Micro security update (version ≥14.0.0.17079) immediately. If patching is delayed, restrict local access to the Apex One server, monitor for unusual agent deployments, and follow CISA BOD‑22‑01 guidance (mitigations required by June 4, 2026).

Impact

Successful exploitation allows attacker to deploy arbitrary malicious code to every endpoint agent, leading to full system compromise of all managed hosts. Confidentiality impact is HIGH, integrity and availability impacts are LOW.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top