Trend Micro Apex One Cache Race Condition Allows Local Privilege Escalation to Root (CVE-2025-71216)
A local privilege escalation vulnerability in Trend Micro Apex One Security Agent's cache mechanism allows attackers with low-privileged code execution to gain root access, with a patch now available.
Trend Micro has released a security update to address a local privilege escalation vulnerability in its Apex One Security Agent, tracked as CVE-2025-71216 and assigned a CVSS score of 7.8. The flaw, disclosed on March 3, 2026, by the Zero Day Initiative (ZDI-26-142), resides in the agent's cache mechanism and allows an attacker who already has low-privileged code execution on a target system to escalate privileges to root.
The vulnerability is a time-of-check time-of-use (TOCTOU) race condition in the cache key checking logic during signature verification. According to the advisory, the specific flaw exists within the cache mechanism and results from the lack of proper cache key checking. An attacker can exploit this race condition to bypass signature verification, load malicious cached data, and ultimately execute arbitrary code in the context of the root user.
Trend Micro Apex One is an enterprise endpoint protection platform deployed across large organizations, making this a high-impact vulnerability for corporate and government environments. The attack requires local access and low-privileged code execution, meaning an attacker would first need to compromise a user account or exploit another vulnerability to gain a foothold. Once achieved, however, the flaw provides a reliable path to full system compromise.
The vulnerability was reported to Trend Micro on April 8, 2025, by researcher Lays (@_L4ys) of TRAPA Security. Trend Micro has issued an update to correct the issue, with details available in their security advisory at https://success.trendmicro.com/en-US/solution/KA-0022458. The coordinated public release of the advisory occurred on March 3, 2026.
This disclosure follows a pattern of privilege escalation vulnerabilities in endpoint security products, which are attractive targets because they run with high system privileges. The TOCTOU nature of this bug is particularly concerning as race conditions can be difficult to detect and patch completely. Organizations using Trend Micro Apex One should prioritize applying the update to prevent potential lateral movement and privilege escalation by attackers who have already breached a low-privileged account.