VYPR
Vypr IntelligenceAI-generatedMay 21, 2026· 13 CVEs

Trend Micro Apex One: 13 CVEs Disclosed Including Actively Exploited Zero-Day

Trend Micro disclosed 13 vulnerabilities across Apex One on May 21, 2026, including a directory traversal zero-day (CVE-2026-34926) already exploited in the wild and two critical remote code execution flaws in the management console.

Key findings

  • CVE-2026-34926 is a directory traversal zero-day exploited in the wild and added to CISA KEV
  • Two critical RCE bugs (CVE-2025-71210, CVE-2025-71211) affect the Apex One management console at CVSS 9.8
  • Four Windows agent origin validation flaws (CVSS 7.8) target different IPC mechanisms
  • Five macOS agent vulnerabilities include TOCTOU and origin validation bugs
  • All 13 CVEs were patched by Trend Micro on May 21, 2026

On May 21, 2026, Trend Micro disclosed a batch of 13 vulnerabilities affecting its Apex One enterprise endpoint security platform, spanning both the on-premise server and agents on Windows and macOS. The batch includes one zero-day already exploited in the wild, two critical-severity remote code execution bugs in the management console, and a cluster of high-severity local privilege escalation flaws across multiple agent components.

**Actively exploited zero-day: CVE-2026-34926**

The most urgent vulnerability in the batch is CVE-2026-34926 (CVSS 6.7, Medium), a directory traversal flaw in the Apex One on-premise server. According to Trend Micro, the vulnerability was discovered internally by TrendAI's incident response team after observing at least one exploitation attempt in the wild BleepingComputer. The flaw allows a pre-authenticated local attacker with administrative credentials to modify a key table on the server and inject malicious code that is then deployed to agents across the organization. On May 22, 2026, CISA added CVE-2026-34926 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation and requiring federal agencies to remediate by a specified deadline The Hacker News.

Critical remote code execution in the management console

Two critical-severity vulnerabilities were disclosed in the Apex One management console. CVE-2025-71211 (CVSS 9.8) and CVE-2025-71210 (CVSS 9.8) both allow a remote attacker to upload malicious code and execute commands on affected installations. Trend Micro notes that CVE-2025-71211 is similar in scope to CVE-2025-71210 but affects a different executable. Both were reported via responsible disclosure through a researcher, and while they carry a technical critical CVSS rating, the vendor has not reported active exploitation of either.

Local privilege escalation cluster on Windows agents

A series of origin validation vulnerabilities in the Apex One and Trend Micro Vision One Security Agent (also referred to as SEP agent) inter-process communication mechanisms could allow local attackers to escalate privileges on Windows installations. The cluster includes:

  • CVE-2026-34927 (CVSS 7.8) — origin validation in an unspecified IPC mechanism
  • CVE-2026-34928 (CVSS 7.8) — similar flaw in a named pipe communication mechanism
  • CVE-2026-34929 (CVSS 7.8) — similar flaw in a different IPC mechanism
  • CVE-2026-45207 (CVSS 7.8) — similar flaw in a process protection communication mechanism

All four require the attacker to first obtain the ability to execute low-privileged code on the target system. The Zero Day Initiative (ZDI) published advisories for each of these on May 28, 2026, assigning them ZDI identifiers ZDI-26-320 through ZDI-26-325 Zero Day Initiative.

macOS agent privilege escalation vulnerabilities

Five additional high-severity vulnerabilities affect the Apex One macOS agent specifically:

  • CVE-2025-71217 (CVSS 7.8) — origin validation error in the agent self-protection mechanism
  • CVE-2025-71216 (CVSS 7.8) — time-of-check time-of-use (TOCTOU) vulnerability in the agent cache mechanism
  • CVE-2025-71215 (CVSS 7.0) — TOCTOU vulnerability in the iCore service signature verification
  • CVE-2025-71214 (CVSS 7.8) — origin validation error in the iCore service
  • CVE-2025-71213 (CVSS 7.8) — origin validation error in the broader Apex One macOS agent

All five require the attacker to first execute low-privileged code on the target system. Additionally, CVE-2025-71212 (CVSS 7.8) is a link-following vulnerability in the Apex One scan engine that could allow local privilege escalation on affected installations.

Patch status and mitigations

Trend Micro has released patches for all 13 vulnerabilities. For CVE-2026-34926, the actively exploited zero-day, the fix is available through Trend Micro's standard update channels. The on-premise Apex One server is the affected component for that vulnerability; cloud-based Apex One deployments are not impacted. For the remaining CVEs, administrators should apply the latest Apex One agent and server updates. Given that CVE-2026-34926 has been added to CISA's KEV catalog and confirmed exploited in the wild, organizations running on-premise Apex One deployments should prioritize that patch above all others.

Why this batch matters

This disclosure event is notable for its breadth — 13 CVEs touching nearly every component of the Apex One platform, from the management console to Windows and macOS agents. The inclusion of a confirmed zero-day exploited in the wild (CVE-2026-34926) elevates the urgency, particularly for organizations running on-premise Apex One servers. The two critical console RCE bugs (CVE-2025-71210 and CVE-2025-71211) represent the highest-severity items in the batch, though they have not been reported as exploited. Together, these vulnerabilities underscore the attack surface that enterprise endpoint protection platforms themselves present — a theme that security teams managing Trend Micro deployments should watch closely as further research emerges.

AI-written article. Grounded in 13 CVE records listed below.