CISA orders agencies to patch exploited Trend Micro Apex One flaw by June 4
5 min. read 
Published on
CISA has added CVE-2026-34926, a Trend Micro Apex One vulnerability, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation.
The flaw affects Trend Micro Apex One on-premise deployments and sits in the product’s server component. According to Trend Micro’s May 2026 security bulletin, the issue can let an attacker modify a key table on the server and inject malicious code that can then reach managed agents.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The issue is tracked as CVE-2026-34926 and carries a CVSS 3.1 score of 6.7. The NVD record describes it as a directory traversal vulnerability affecting Apex One on-premise systems.
The flaw needs prior server access
This is a serious endpoint security risk, but it is not a simple remote takeover bug. Trend Micro says exploitation requires access to the Apex One server and administrative credentials obtained through another method.
That requirement matters because attackers would need to compromise or access the management server first. Still, once they reach that point, the impact can spread because Apex One manages endpoint agents across an organization.
Trend Micro says it has observed at least one attempt to exploit the flaw in the wild. That makes fast patching important for enterprises that use Apex One as a central endpoint security platform.
| Item | Details |
|---|---|
| CVE | CVE-2026-34926 |
| Product | Trend Micro Apex One on-premise |
| Vulnerability type | Directory traversal, listed as CWE-23 in the NVD details |
| CVSS 3.1 score | 6.7 |
| Known exploitation | At least one exploitation attempt observed by Trend Micro |
| CISA deadline | June 4, 2026, for federal civilian agencies |
Why Apex One compromise is dangerous
Apex One acts as a management platform for endpoint protection. If attackers can tamper with the server, they may use the trusted security channel to push malicious code to connected agents.
That risk makes the flaw different from a single-device local privilege escalation. A compromised management server can affect many protected endpoints if attackers abuse its trusted role.
Japan Vulnerability Notes says the only product vulnerable to this specific exploit is Trend Micro Apex One on-premise. The same advisory also lists other related vulnerabilities affecting Apex One agents and Trend Micro endpoint products.
Which versions need attention
Trend Micro says Apex One 2019 on-premise server and agent builds below 17079 are affected. The company lists SP1 Critical Patch Build 18012 for existing SP1 users, or SP1 Build 17079 for new installations, with at least agent build 14.0.0.17079.
For Apex One as a Service and Trend Micro Vision One Endpoint Security Standard Endpoint Protection, the affected agent builds are below 14.0.20731. Trend Micro says the updated agent build 14.0.20731 is available.
The JVN advisory also lists Apex One as a Service and Vision One Endpoint Security Standard Endpoint Protection as affected by related agent vulnerabilities, while noting that CVE-2026-34926 applies only to Apex One on-premise.
What organizations should do now
Federal civilian agencies must address the flaw by June 4, 2026, according to the CISA entry. Private organizations should treat the same date as a useful urgency marker, especially if Apex One manages large endpoint fleets.
Security teams should confirm which Apex One version they run, check server and agent build numbers, and apply the appropriate patch. They should also review who has administrative access to the Apex One server.
- Patch Apex One on-premise systems to the supported fixed build.
- Check agent builds and confirm endpoints receive the updated version.
- Limit access to the Apex One server to trusted administrators and trusted networks.
- Review logs for unexpected database changes, server-side file changes, or unusual agent deployments.
- Investigate any recent administrative access that cannot be clearly explained.
Security teams should also review server access
The vendor’s update guidance recommends applying the latest available builds and reviewing remote access to critical systems. That step matters because exploitation requires a foothold on or access to the server.
Organizations should not stop at patching alone. They should also check whether the Apex One server exposes management access too broadly, uses shared administrator accounts, or lacks proper logging.
The main risk is trust abuse. If attackers can control the system used to protect endpoints, they can turn a defensive platform into a distribution path for malicious code.
FAQ
CVE-2026-34926 is a directory traversal vulnerability in Trend Micro Apex One on-premise. It can let an attacker modify a key table on the server and inject code that may be distributed to connected endpoint agents.
Yes. Trend Micro says it observed at least one attempt to exploit the vulnerability in the wild, and CISA added it to its Known Exploited Vulnerabilities catalog.
CVE-2026-34926 applies only to Trend Micro Apex One on-premise. However, Trend Micro’s May 2026 bulletin also lists related agent vulnerabilities affecting Apex One as a Service and Vision One Endpoint Security Standard Endpoint Protection.
CISA set a June 4, 2026 deadline for U.S. federal civilian agencies to apply mitigations, follow vendor guidance, or discontinue use if mitigations are unavailable.
Organizations should install Trend Micro’s fixed builds, confirm endpoint agent versions, restrict administrative access to Apex One servers, review remote access paths, and monitor for suspicious server or agent changes.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages