CVE-2026-34926

Vulnerability

CVE-2026-34926 is a relative path traversal vulnerability (CWE-23) in the Trend Micro Apex One (on-premise) server (builds prior to 17079 for new installations, or without Critical Patch build 18012 for existing SP1 users). The vulnerability resides in the server component and is triggered when a local attacker with administrative credentials modifies a key table via directory traversal, allowing injection of malicious code that is subsequently deployed to connected security agents. [1][2][3]

Exploitation

Exploitation requires the attacker to have local access to the Apex One server and to have already obtained administrative credentials for the server operating system through some other method (e.g., credential theft, social engineering). With those privileges, the attacker can craft a directory traversal request to modify a server key table, injecting arbitrary code. This code is then distributed to agents during normal update operations. Trend Micro has confirmed at least one instance of active exploitation in the wild. [1][2][4]

Impact

A successful attack allows the attacker to tamper with arbitrary files on the server and inject malicious code that is pushed to all connected security agents. This can lead to a compromise of agent integrity (tampering), potential agent unavailability (resource consumption), and indirectly to full system compromise on the affected endpoints. The CVSS v3.1 score is 6.7 (Medium), with a scope change from server to agents (confidentiality High, Integrity Low, Availability Low). [1][3]

Mitigation

Trend Micro released fixed builds: for on-prem Apex One, apply Critical Patch build 18012 for existing SP1 users, or perform a fresh install of SP1 build 17079. The security agent must be updated to at least build 14.0.0.17079. For Apex One as a Service and Vision One SEP, the agent build 14.0.20731 is available. No workaround is provided; immediate patching is strongly recommended as the vulnerability is being actively exploited. [2][3][4]