Trend Micro Apex One Virus Scan Engine Flaw (CVE-2025-71212) Enables Local Privilege Escalation to SYSTEM
A local privilege escalation vulnerability in Trend Micro Apex One's Virus Scan Engine allows attackers with low-privileged code execution to gain full SYSTEM access via a symbolic link attack on the VSApiNt.sys driver.
Trend Micro has released a security update addressing a local privilege escalation vulnerability in its Apex One Security Agent, tracked as CVE-2025-71212. The flaw, disclosed by the Zero Day Initiative on March 3, 2026, carries a CVSS score of 7.8 and allows attackers with low-privileged code execution on a target system to escalate privileges to SYSTEM.
The vulnerability resides in the Virus Scan Engine component of Apex One. Specifically, the flaw exists within the VSApiNt.sys driver, which can be abused through a symbolic link attack. By creating a symbolic link, an attacker can force the driver to delete arbitrary files on the system, ultimately enabling privilege escalation and arbitrary code execution in the context of SYSTEM.
To exploit this vulnerability, an attacker must first obtain the ability to execute low-privileged code on the target system. This could be achieved through a separate initial compromise, such as a phishing attack or another vulnerability that grants limited access. Once that foothold is established, the attacker can leverage the symbolic link attack to gain full control of the affected machine.
The vulnerability was reported to Trend Micro on August 14, 2024, and the coordinated public release of the advisory occurred on March 3, 2026. Trend Micro has issued a security update to correct the flaw, and users are strongly advised to apply the patch as soon as possible. The vendor's advisory is available at Trend Micro's support page.
Trend Micro Apex One is a widely deployed endpoint security solution used by enterprises and organizations to protect against malware and advanced threats. The ability for a local attacker to escalate to SYSTEM privileges undermines the security posture of any organization relying on the software, as it could allow an attacker to disable security controls, exfiltrate sensitive data, or move laterally within a network.
This disclosure follows a broader trend of privilege escalation vulnerabilities in security software, which are particularly dangerous because they can turn a defense tool into an attack vector. Organizations using Trend Micro Apex One should prioritize patching this vulnerability, especially on systems where users have limited privileges but could be compromised through other means.