CVE-2026-45208
Description
A time-of-check time-of-use vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A TOCTOU vulnerability in Trend Micro Apex One/SEP agent allows local privilege escalation after executing low-privileged code.
Vulnerability
A time-of-check time-of-use (TOCTOU) vulnerability exists in the Apex One/SEP agent. Affected versions include Apex One 2019 (on-prem) server and agent builds below 17079, and Vision One SEP agent builds below 14.0.20731. The bug is in the agent component and requires the attacker to have low-privileged code execution on the target system [1].
Exploitation
An attacker must first obtain the ability to execute low-privileged code on the target system. Then, by exploiting the TOCTOU race condition, the attacker can escalate privileges. No additional steps are detailed in the available reference [1].
Impact
Successful exploitation allows local privilege escalation, potentially to SYSTEM level. The CVSS v3 score is 7.8 (High). Trend Micro has observed active exploitation in the wild [1].
Mitigation
Trend Micro has released fixed versions: Apex One (on-prem) SP1 CP Build 18012 (or SP1 Build 17079 for new installs) and Vision One SEP agent build 14.0.20731. Customers should update immediately. No workarounds are provided [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
12- InstallFix and Claude Code: How Fake Install Pages Lead to Real CompromiseTrend Micro Research · May 5, 2026
- ZDI-26-269: TrendAI Apex One Console Directory Traversal Remote Code Execution VulnerabilityZero Day Initiative · Apr 15, 2026
- ZDI-26-270: TrendAI Apex One Console Directory Traversal Remote Code Execution VulnerabilityZero Day Initiative · Apr 15, 2026
- Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key IndustriesTrend Micro Research · Mar 19, 2026
- ZDI-26-136: Trend Micro Apex One Console Directory Traversal Remote Code Execution VulnerabilityZero Day Initiative · Mar 3, 2026
- ZDI-26-143: Trend Micro Apex One Security Agent TmSelfProtect Origin Validation Error Local Privilege Escalation VulnerabilityZero Day Initiative · Mar 3, 2026
- ZDI-26-140: Trend Micro Apex One Origin Validation Error Local Privilege Escalation VulnerabilityZero Day Initiative · Mar 3, 2026
- ZDI-26-141: Trend Micro Apex One Security Agent iCore Service Signature Verification Time-Of-Check Time-Of-Use Local Privilege Escalation VulnerabilityZero Day Initiative · Mar 3, 2026
- ZDI-26-137: Trend Micro Apex One Console Directory Traversal Remote Code Execution VulnerabilityZero Day Initiative · Mar 3, 2026
- ZDI-26-139: Trend Micro Apex One Security Agent iCore Service Origin Validation Error Local Privilege Escalation VulnerabilityZero Day Initiative · Mar 3, 2026
- ZDI-26-142: Trend Micro Apex One Security Agent Cache Mechanism Time-Of-Check Time-Of-Use Local Privilege Escalation VulnerabilityZero Day Initiative · Mar 3, 2026
- ZDI-26-138: Trend Micro Apex One Virus Scan Engine Link Following Local Privilege Escalation VulnerabilityZero Day Initiative · Mar 3, 2026