Trend Micro users beware - dangerous Apex One zero-day exploited in the wild

News
By published

A newly discovered flaw allows hackers to inject malicious code

A hooded figure in front of a laptop. Digital symbols obscure his face and appear to be pouring out of his head
(Image credit: Getty Images)
  • Trend Micro patches CVE‑2026‑34926, a medium‑severity directory traversal flaw in Apex One (on‑prem) that lets local admins inject malicious code
  • Despite requiring prior admin access, the bug is already being exploited in the wild, prompting urgent patching guidance
  • CISA adds it to the KEV catalog, giving federal agencies until June 4 2026 to update or discontinue use per BOD 22‑01 directives

A dangerous vulnerability in Trend Micro’s Apex One product is being actively abused in the wild, researchers have warned, urging users to apply the provided patch as soon as possible.

Apex One is Trend Micro’s endpoint protection platform (EPP) built to protect enterprise devices from malware, ransomware, fileless attacks, and various other cyber-threats. It uses a combination of antivirus capabilities, behavioral analysis, machine learning, and EDR/XDR. It appears to be rather popular, with some sources counting the number of customers in the thousands.

The company has now issued a patch for a directory traversal vulnerability in the on-prem variant of Apex One which could allow local actors (with admin privileges) to inject malicious code.

Latest Videos From

Capturing tokens

“A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations,” the NVD entry reads.

“This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.”

The bug is now tracked as CVE-2026-34926 and carries a severity score of 6.7/10 (medium).

While it all points to a somewhat low-risk vulnerability, Trend Micro said that it saw “at least one” exploitation attempt, already.

We don’t know if one attempt is enough to get listed in CISA’s Known Exploited Vulnerabilities (KEV) database, but the US agency just did that. Last Thursday, CISA disclosed a new entry in the catalog, giving Federal Civilian Executive Branch (FCEB) agencies a deadline of June 4 to apply the patch or stop using Apex One entirely.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.