ProductJP

Trend Micro Apex One

Trend Micro's on-premises enterprise endpoint detection and response product; CVE-2026-34926 is a CVSS 6.7 directory-traversal flaw confirmed exploited in the wild.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

Why does a security product's own directory-traversal flaw end up on CISA's most-wanted list?

Timeline for Trend Micro Apex One

#521 May

AI orchestration flaw joins CISA's KEV

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is CVE-2026-34926 in Trend Micro Apex One?: CVE-2026-34926 is a directory-traversal vulnerability (CVSS 6.7) in Trend Micro Apex One that was added to CISA's Known Exploited Vulnerabilities catalogue on 21 May 2026 after confirmed exploitation in the wild.Source: CISA KEV, May 2026
Is Trend Micro Apex One still safe to use?: Organisations running Trend Micro Apex One should apply the patch for CVE-2026-34926 immediately. CISA's KEV listing confirms the flaw is actively exploited; unpatched servers should be isolated from untrusted networks until the update is applied.Source: event
How does a directory traversal attack work on endpoint security software?: A directory-traversal attack manipulates file PATH inputs (e.g. using ../ sequences) to access files outside the intended directory. On an endpoint security management server with elevated privileges, this can expose configuration files, stored credentials, or policy data to an attacker.Source: event

Background

Trend Micro Apex One is the flagship on-premises endpoint detection and response (EDR) platform from Trend Micro, aimed at enterprise environments requiring local data-sovereignty or air-gapped deployment. It provides threat detection, behavioural monitoring, vulnerability patching, and centralised management across Windows and macOS endpoints. On-premises deployment distinguishes it from Trend Micro's cloud-native Worry-Free Business Security service.

In May 2026, CISA added CVE-2026-34926 — a directory-traversal vulnerability with a CVSS score of 6.7 — to the Known Exploited Vulnerabilities catalogue on 21 May 2026. The flaw permits a local or network-adjacent attacker with limited privileges to traverse restricted directory paths on the Apex One server, potentially exposing configuration files, credentials, or policy data. Confirmed exploitation in the wild prompted CISA's KEV listing.

The CVE-2026-34926 listing is a reminder that security products themselves are not immune to the class of vulnerabilities they protect against. Endpoint security agents typically run with elevated privileges and maintain persistent connections to management servers, making directory-traversal flaws in the management plane particularly attractive to attackers seeking lateral movement or credential harvesting within already-compromised networks.

Source Material

CISA Known Exploited Vulnerabilities Catalogue Trend Micro Apex One — product page

How the World Sees Them

Enterprise IT

On-premises Apex One deployments used in regulated or air-gapped environments must prioritise the patch; the flaw sits in the management plane, where exploitation can undermine the integrity of the security infrastructure itself.

United States

CISA's KEV mandate requires federal entities to patch within 21 days of a KEV listing; enterprises following CISA BOD 22-01 must treat CVE-2026-34926 with the same urgency as OS-level vulnerabilities.