Skip to content
hacker_posts

Trend Micro Apex One CVE-2026-34926 exploited; CISA deadline June 4

Trend Micro patches a directory-traversal flaw in the Apex One server after observing in-the-wild exploitation. CISA orders federal agencies to remediate by June 4.

Published 3 min read
cvetrend-microapex-onecisa-kevendpoint

CISA added CVE-2026-34926, a directory-traversal flaw in the Trend Micro Apex One server, to its Known Exploited Vulnerabilities catalog and set a federal patching deadline of June 4, 2026. Trend Micro confirmed it has observed at least one exploitation attempt in the wild.

The bug — scored 6.7 CVSS, classified CWE-23 — lets an attacker who can reach the Apex One management server modify a key database table and inject code the server then distributes to its managed endpoint agents. The blast radius is the entire fleet reporting to a compromised console.

Affected versions

The advisory covers both deployment models:

  • On-premise. Apex One 2019 server and agent builds below 17079 on Windows.
  • SaaS. Apex One as a Service and Trend Vision One Endpoint Security — Standard Endpoint Protection, agent builds below 14.0.20731.

The on-prem line is the one most readers will care about: Apex One 2019 servers patch on a manual cadence, while SaaS tenants receive updates pushed by Trend Micro.

Exploitation status

Trend Micro's advisory acknowledges at least one in-the-wild attempt. CISA's KEV addition makes the case official: there is enough evidence of active exploitation for the agency to invoke BOD 22-01 against federal civilian agencies. The deadline is June 4, 2026.

No public proof-of-concept code has surfaced yet, but a KEV entry combined with a known attack chain — modify the central table, push code to every agent — traditionally accelerates copycat work within days. Treat the next two weeks as the high-risk window for opportunistic scanning.

Action checklist

  1. Patch on-prem. Apply SP1 Critical Patch Build 18012 to existing SP1 installations, or SP1 Build 17079 with agent build 14.0.0.17079 for new deployments. Trend Micro withdrew the original CP 17079 patch for an unrelated issue and replaced it with 18012; do not chase the older build.
  2. Verify SaaS. Confirm Apex One as a Service and Vision One Endpoint Security agents have rolled to build 14.0.20731 or later. Tenant rollouts are automatic but staggered.
  3. Tighten admin access. Exploitation requires reaching the management server. Audit who can authenticate to the Apex One console, enforce MFA on those accounts, and rotate any credentials that lack it.
  4. Hunt. Review Apex One server logs and agent deployment history for unexpected configuration pushes or unfamiliar packages distributed to endpoints in the last 30 days.
  5. Federal civilian agencies. The KEV deadline is June 4. Schedule the change window now.

Context

CVE-2026-34926 is the second high-severity issue in an endpoint-protection management plane to land on KEV inside six months. The pattern is consistent: when the security console is the target, the attacker inherits the trust relationship the console has with every machine it manages — and the AV/EDR distribution channel is, by design, an authenticated software-installer pipeline. Backup servers, MDM tenants, and EDR consoles all share that same property; they are administrative single points of failure dressed up as productivity tools.

CISA paired the Trend Micro entry with CVE-2025-34291, an unauthenticated code-execution flaw in Langflow, also added to KEV the same day. Two server-side flaws, one federal deadline, one weekend.

Related stories