Trend Micro Apex One iCore Service Flaw Allows Local Privilege Escalation to Root (CVE-2025-71214)
A local privilege escalation vulnerability in Trend Micro Apex One Security Agent's iCore service (CVE-2025-71214, CVSS 7.8) allows attackers with low-privileged code execution to gain root access.
Trend Micro has released a security update to address a local privilege escalation vulnerability in its Apex One Security Agent. The flaw, tracked as CVE-2025-71214 and assigned a CVSS score of 7.8, resides in the iCore service and stems from improper validation of the origin of Inter-Process Communication (IPC) messages. An attacker who first obtains the ability to execute low-privileged code on a target system can exploit this weakness to escalate privileges and execute arbitrary code in the context of root.
The vulnerability was discovered and reported by researcher Lays (@_L4ys) of TRAPA Security. According to the advisory published by the Zero Day Initiative (ZDI-26-139), the specific flaw exists within the iCore service's handling of IPC messages. By failing to properly validate where these messages originate, the service can be tricked into executing commands from an untrusted source, effectively allowing a local attacker to bypass security boundaries and gain full system-level control.
Trend Micro has issued a security update to correct the vulnerability. Customers are advised to apply the patch as soon as possible. The update is available through Trend Micro's official support portal, with more details provided in the company's security advisory (KA-0022458). Given the high severity of the flaw and the fact that it requires only low-privileged access to exploit, organizations using Apex One should prioritize patching to prevent potential lateral movement or full system compromise.
The disclosure timeline indicates that the vulnerability was reported to Trend Micro on March 30, 2025, with the coordinated public release of the advisory occurring on March 3, 2026. This nearly year-long period between reporting and disclosure is not uncommon for complex enterprise software patches, but it underscores the importance of timely updates once fixes are available.
Local privilege escalation vulnerabilities remain a critical component of many attack chains. While they require an initial foothold on a system, they enable attackers to bypass user account controls, install persistent malware, or disable security software. The Trend Micro Apex One agent runs with elevated privileges by design, making this type of flaw particularly dangerous for enterprise environments where the software is widely deployed.
Organizations using Trend Micro Apex One should verify that their security agents are updated to the latest version. Administrators can check for updates through the Apex One management console or by consulting the vendor's advisory at https://success.trendmicro.com/en-US/solution/KA-0022458.