- Trend Micro patches CVE-2026-34926, a medium severity directory traversal flaw in Apex One (local) that allows local administrators to inject malicious code
- Despite requiring prior administrator access, the bug is already being exploited in the wild, requiring urgent guidance to patch
- CISA adds it to the KEV catalog, giving federal agencies until June 4, 2026 to update or discontinue its use under BOD 22-01 directives.
A dangerous vulnerability in Trend Micro’s Apex One product is being actively abused, researchers have warned, urging users to apply the provided patch as soon as possible.
Apex One is Trend Micro’s endpoint protection platform (EPP) built to protect enterprise devices against malware, ransomware, fileless attacks, and other cyber threats. It uses a combination of antivirus, behavioral analysis, machine learning, and EDR/XDR capabilities. It appears to be quite popular, with some sources putting the number of customers in the thousands.
The company has now issued a patch for a directory traversal vulnerability in the local variant of Apex One that could allow local actors (with administrator privileges) to inject malicious code.
Capturing tokens
“A directory traversal vulnerability on the Apex One (on-premises) server could allow a previously authenticated local attacker to modify a key table on the server to inject malicious code for deployment to agents on the affected premises,” the NVD entry reads.
“This vulnerability can only be exploited in the local version of Apex One and a potential attacker must have access to the Apex One server and have obtained administrative credentials for the server through some other method to exploit this vulnerability.”
The bug is now tracked as CVE-2026-34926 and has a severity score of 6.7/10 (medium).
While everything points to a low-risk vulnerability, Trend Micro said it has already seen “at least one” exploitation attempt.
We don’t know if one attempt is enough to appear in CISA’s Known Exploited Vulnerabilities (KEV) database, but the US agency just did it. Last Thursday, CISA revealed a new catalog entry, giving Federal Civil Executive Branch (FCEB) agencies a deadline of June 4 to apply the patch or stop using Apex One entirely.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said. “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are not available.”
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
