Skip to main content
Emerging Threats

Trend Micro Discloses Apex One Zero-Day Exploited in Attacks

Brightly-lit server room focuses on a central server rack surrounded by rows of equipment.

CVE-2026-34926 — a directory traversal bug in Trend Micro's Apex One on‑premises server — has been added to the U.S. Cybersecurity and Infrastructure Security Agency's list of actively exploited vulnerabilities, and federal agencies were ordered to patch affected systems by June 4, 2026.

CVE-2026-34926: Trend Micro's technical description

Trend Micro described CVE-2026-34926 as "a directory traversal vulnerability in the Apex One (on‑premise) server" that "could allow a pre‑authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations," the company said on Thursday. Trend Micro emphasized that the flaw "is only exploitable on the on‑premise version of Apex One" and that a "potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability."

Despite those restrictive prerequisites, Trend Micro added that "TrendAI has observed at least one attempt to exploit this vulnerability in the wild," leaving open the possibility of targeted misuse where administrative credentials or local access are already present.

CISA's directive and recommended mitigations

The U.S. Cybersecurity and Infrastructure Security Agency responded by adding CVE-2026-34926 to its active exploitation list and ordering federal agencies to patch devices by June 4. CISA warned: "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." The agency instructed agencies to "Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

That directive imposes a three‑week remediation window for federal bodies and places on them the choices of applying Trend Micro's mitigations, following the administration's BOD 22‑01 cloud guidance where relevant, or ceasing use of affected on‑premise installations if no mitigations are available.

Updates to Apex One SEP agent: seven local privilege escalations

On Thursday Trend Micro also published security updates addressing seven local privilege escalation vulnerabilities in the Apex One Standard Endpoint Protection (SEP) agent. Trend Micro said attackers "can exploit [these flaws] if they have permission to execute low‑privileged code on the target system," meaning these issues lower the bar for privilege escalation when an adversary already has some code‑execution capabilities on an endpoint.

The simultaneous release of SEP‑agent patches alongside the on‑premise server advisory underscores that multiple components of Apex One required fixes in this round.

Past Apex One zero‑days and ongoing tracking

Trend Micro and CISA have repeatedly encountered actively exploited flaws in Apex One. Trend Micro pointed to an actively exploited remote code execution bug, CVE-2025-54948, disclosed in August 2025, and to two other Apex One zero‑days exploited in the wild in September 2022 (CVE-2022-40139) and September 2023 (CVE-2023-41179). CISA currently tracks 12 Trend Micro Apex vulnerabilities that "have either been or are still being abused in attacks," according to the reporting.

That record frames CVE-2026-34926 not as an isolated technical patch but as the latest entry in a string of Apex One vulnerabilities that have drawn active exploitation and federal attention.

What this means for technologists, federal agencies, and enterprise procurement

  • Technologists and security teams: prioritize installing Trend Micro's server and SEP‑agent updates where applicable, and verify whether Apex One deployments are on‑premise (the server issue applies only to on‑premise installations).
  • Federal agencies: adhere to CISA's June 4 patch deadline, apply "mitigations per vendor instructions," follow "BOD 22‑01 guidance for cloud services" when relevant, or discontinue use if no mitigations exist.
  • Enterprise procurement and IT leadership: account for the difference between on‑premise and cloud service exposures and consider vendor remediation cadence and historical exploitation (Trend Micro cited prior exploited Apex One CVEs in 2022, 2023, and 2025) when assessing risk.

Trend Micro's advisory and CISA's three‑week remediation order together tell a clear operational story: the vulnerability requires local access and administrative credentials to exploit, but at least one in‑the‑wild attempt has already been observed, prompting a swift federal directive. Whether agencies and affected organizations meet the June 4 deadline — and how effectively mitigations are deployed where on‑premise Apex One remains in use — will determine whether this entry becomes another quickly closed incident or the next chapter in an ongoing pattern of exploited Apex One flaws.

Original reporting: https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-apex-one-zero-day-exploited-in-attacks/