Trend Micro Apex One NT Listener Flaw Allows Local Privilege Escalation to SYSTEM
A newly disclosed vulnerability in Trend Micro Apex One (CVE-2025-71213) allows local attackers to escalate privileges to SYSTEM via an origin validation error in the NT Listener service.
Trend Micro has released a security update to address a local privilege escalation vulnerability in its Apex One security agent. The flaw, tracked as CVE-2025-71213 and assigned a CVSS score of 7.8, was disclosed by the Zero Day Initiative (ZDI) on March 3, 2026, after being reported by researcher Lays (@_L4ys) of TRAPA Security.
The vulnerability resides in the Apex One NT Listener service. According to the ZDI advisory, the issue stems from insufficient validation of the origin of commands sent to the service. An attacker who has already obtained the ability to execute low-privileged code on the target system can exploit this weakness to escalate privileges and execute arbitrary code in the context of SYSTEM, the highest level of access on Windows.
This type of vulnerability is particularly dangerous in enterprise environments where Apex One is deployed as an endpoint security solution. A successful exploit could allow an attacker to disable security controls, install persistent malware, or move laterally across the network. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates that while the attack requires local access and low privileges, it does not require user interaction and can achieve full compromise of confidentiality, integrity, and availability.
Trend Micro has issued a patch for the vulnerability, with details available in their security advisory (KA-0022458). The disclosure timeline shows that the vulnerability was reported to Trend Micro on May 2, 2025, and the coordinated public release of the advisory occurred on March 3, 2026. This nearly ten-month window between reporting and disclosure is typical for coordinated vulnerability disclosure processes.
The flaw was discovered by Lays of TRAPA Security, a well-known security research firm. The ZDI advisory credits the researcher and notes that Trend Micro has released an update to correct the issue. Organizations using Trend Micro Apex One should apply the patch as soon as possible to mitigate the risk of local privilege escalation attacks.
This vulnerability highlights the ongoing challenge of securing endpoint security software itself. As security agents run with high privileges to monitor and protect systems, any flaw in their code can become a vector for attackers to gain elevated access. The discovery of an origin validation error in a core service like the NT Listener underscores the importance of rigorous input validation in privileged components.