Critical Trend Micro Apex One Flaws Let Attackers Run Malicious Code on Corrupted Consoles

Trend Micro has patched a set of critical vulnerabilities in its Apex One endpoint‑protection suite that can allow attackers to run arbitrary code on affected systems. The vendor’s February 2026 advisory covers CVE‑2025‑71210 through CVE‑2025‑71217, with CVSS v3 scores from 7.2 up to 9.8, affecting both on‑premises Apex One 2019 (Windows) and the cloud‑based Apex One as a Service (Trend Vision One Endpoint – Standard Endpoint Protection) on Windows.

The most severe issues are two console‑based directory‑traversal remote‑code‑execution (RCE) flaws, CVE‑2025‑71210 and CVE‑2025‑71211. These allow an authenticated attacker with access to the Apex One Management Console to upload malicious files or scripts and execute them on the underlying server, turning the management node into a launch‑pad for further compromise.

Which products are affected

The February 2026 advisory explicitly lists:

• Apex One 2019 (on‑premises) on Windows.
• Apex One as a Service (Trend Vision One Endpoint – Standard Endpoint Protection) on Windows.

Trend Micro notes that earlier Apex One versions will continue to receive updates via ActiveUpdate until March 31, 2026. After that, only Apex One 2019 will remain supported. The vendor urges all customers to move to the latest available builds, even if some prior patches already addressed parts of the same code paths.

How the critical console vulnerabilities work

The two highest‑risk issues, CVE‑2025‑71210 and CVE‑2025‑71211, are classified as directory‑traversal RCE flaws (CWE‑22) in the Apex One Management Console. In practice, this means:

• An attacker must have authenticated access to the management console (usually via administrator or operator‑level credentials).
• Through a design or validation gap, the attacker can specify a file path that traverses up the directory tree and overwrites or writes to a location controlled by the operating system, such as directories under C:\Program Files or C:\ProgramData.
• The attacker can then upload a malicious script or payload and persuade the system or service to execute it, achieving remote code execution on the console host.

Trend Micro explicitly warns that exposing the Apex One Management Console to the public internet increases the risk of exploitation. The vendor recommends:

• Applying source‑IP restrictions to the console so that only trusted administrative networks can reach it.
• Using network‑level firewalls and web‑application‑firewall (WAF) rules to block any external traffic to the management‑port endpoints.

Key vulnerabilities in brief

For the Windows‑side local‑privilege‑escalation (LPE) issues, an attacker first needs low‑privileged code execution on the endpoint. Once they have that, they can exploit the flawed symlink‑handling, origin‑validation, or time‑of‑check‑time‑of‑use (TOCTOU) logic to gain higher‑privileged access on the same host. The macOS‑related CVEs are marked as informational, because they were already patched earlier through Trend Micro’s ActiveUpdate or SaaS‑style delivery mechanisms.

Why these flaws matter for defenders

Apex One is used by organizations that want centralized endpoint‑protection management, so the console often sits on a high‑value server with access to internal networks, logs, and policy‑control capabilities. A successful RCE against the management console can:

• Allow attackers to modify protection policies, disable or suppress alerts, and even push malicious updates to endpoints.
• Provide a pivot point for lateral movement into the rest of the environment.
• Undermine the trust model of the endpoint‑protection stack, because the agent‑management node itself becomes a controlled implant.

Because the directory‑traversal RCEs require console‑level access, many organizations will not be directly exposed if they enforce strict network‑segmentation and multi‑factor authentication on the admin interfaces. However, any company that has left the console IP reachable from the internet or from broad internal subnets faces a much higher‑risk profile.

What organizations should do now

Trend Micro’s remediation guidance is straightforward but time‑sensitive:

• Apply the latest updates for Apex One 2019 immediately, even if your environment already received prior patches. The vendor notes that some of the same underlying code paths have been addressed iteratively, and only the newest builds fully remediate the vulnerabilities listed in the February 2026 advisory.
• Restrict console access to tightly controlled IP ranges and VLANs. Disable any direct internet exposure of the management‑port endpoints.
• Enable multi‑factor authentication (MFA) for all console‑level accounts to reduce the risk of stolen credentials.
• Monitor for unusual activity on the console host, such as:
• Review and harden the endpoint‑agent‑deployment model so that endpoint‑level local‑privilege‑escalation vulnerabilities are less dangerous. For example, enforce least‑privilege policies and application‑control rules that limit the damage an attacker can do once they gain low‑level access.

For organizations using the cloud‑based Apex One as a Service (Trend Vision One), the vendor states that the SaaS‑deployed agents are already mitigating the critical RCE flaws, but the cloud‑console‑side guidance about source‑IP restrictions and network‑layer protections still applies wherever the admin‑portal is reachable.

FAQ