CVE-2026-34928

Vulnerability

An origin validation vulnerability exists in the named pipe communication mechanism of the Trend Micro Apex One and Vision One Standard Endpoint Protection (SEP) agent. The flaw allows a local attacker who has already obtained low-privileged code execution on the target system to escalate privileges. This vulnerability is similar to CVE-2026-34927 but affects a different named pipe. Affected versions include Apex One 2019 (on-prem) server and agent builds below 14.0.0.17079, and Apex One as a Service / Vision One SEP agent builds below 14.0.20731 [1].

Exploitation

To exploit this vulnerability, an attacker must first gain the ability to execute low-privileged code on the target Windows system. Once that foothold is established, the attacker can interact with the vulnerable named pipe, bypassing origin validation to trigger privilege escalation. The exact sequence involves sending crafted messages over the named pipe to exploit the validation flaw [1].

Impact

Successful exploitation allows the attacker to escalate privileges from a low-privileged user context to a higher privilege level, potentially gaining SYSTEM or administrative access. This can lead to full compromise of the affected endpoint, including the ability to install programs, view, change, or delete data, and create new accounts with full user rights [1].

Mitigation

Trend Micro has released fixed versions: for Apex One (on-prem), apply SP1 Critical Patch Build 18012 (or install SP1 Build 17079 for new installations) to ensure agent build 14.0.0.17079 or later; for Apex One as a Service and Vision One SEP, update to Security Agent build 14.0.20731 or later. These updates were made available on May 21, 2026. Trend Micro has observed at least one instance of active exploitation in the wild, so immediate patching is strongly recommended [1].