Trend Micro Apex One iCore Service TOCTOU Flaw Allows Local Privilege Escalation to Root
A time-of-check time-of-use vulnerability in Trend Micro Apex One's iCore service lets attackers with low-privileged code execution escalate to root, with a CVSS score of 7.8.
Trend Micro has released a patch for a local privilege escalation vulnerability in its Apex One Security Agent that could allow attackers to gain root-level access on affected systems. The flaw, tracked as CVE-2025-71215 and disclosed by the Zero Day Initiative (ZDI-26-141), is a time-of-check time-of-use (TOCTOU) issue in the signature verification process of the iCore service. An attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability, but successful exploitation grants full root privileges.
The vulnerability resides in the iCore service's failure to properly validate file paths during signature verification. This TOCTOU race condition means that between the time a file's signature is checked and the time it is actually used, an attacker can swap the legitimate file with a malicious one. The flaw allows an attacker to escalate privileges and execute arbitrary code in the context of root, effectively taking complete control of the endpoint.
Trend Micro Apex One is an enterprise endpoint protection platform widely deployed in corporate environments. The vulnerability carries a CVSS score of 7.8, classified as high severity, with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that while the attack requires local access and low privileges, it poses a significant risk to confidentiality, integrity, and availability.
The vulnerability was reported by researcher Lays (@_L4ys) of TRAPA Security on April 8, 2025, with coordinated public disclosure occurring on March 3, 2026. Trend Micro has issued a security update to address the issue, detailed in solution KA-0022458, available on their support portal. Organizations running Apex One should apply the patch as soon as possible to mitigate the risk of local privilege escalation attacks.
This disclosure follows a pattern of TOCTOU vulnerabilities in security software, which are particularly dangerous because they undermine the very protection the software is meant to provide. Security agents often run with elevated privileges, making them attractive targets for attackers seeking to disable defenses or move laterally within a network. The involvement of a coordinated disclosure timeline and a credited researcher highlights the importance of responsible vulnerability reporting in maintaining enterprise security.