Trend Micro has confirmed that attackers are actively exploiting a zero-day vulnerability in Apex One, its enterprise endpoint security platform. The flaw, tracked as CVE-2026-34926, lets a local attacker with administrative access inject malicious code into the server and push it out to every connected agent across the network. A patch is available now, and federal agencies have until June 4, 2026, to apply it.

What Is CVE-2026-34926
CVE-2026-34926 is a directory traversal vulnerability in the Apex One on-premises server. A directory traversal flaw allows an attacker to navigate outside the intended file path on a server and access or modify files that should be off-limits.
In this case, Trend Micro said the flaw lets a pre-authenticated local attacker modify a key table on the Apex One server. Once that table is modified, the attacker can deploy malicious code to all agents connected to that server. The reach of a single compromised server extends to every endpoint it manages.
The vulnerability carries a CVSSv3.1 score of 6.7, rated Medium. That score reflects the high bar an attacker must clear to exploit it: local access to the server and existing administrative credentials. Despite those requirements, Trend Micro confirmed that at least one active exploitation attempt has already occurred in the wild.
The flaw affects only the on-premises version of Apex One. The SaaS version is not vulnerable on the server side, though its agents still need updating (covered below).
Who Is at Risk
You are at risk if you run any of the following:
- Apex One 2019 (on-premises): Server and agent builds below 14.0.0.17079
- Apex One as a Service / Vision One Standard Endpoint Protection (SEP): Agent builds below 14.0.20731
The vulnerability exists on Windows systems only. If your Apex One server is already at build 17079 or higher, your server is protected. But your agents still require the updated build to be fully covered.
What Trend Micro and CISA Are Saying
Trend Micro released its May 2026 Security Bulletin on May 21, 2026, disclosing the vulnerability alongside six additional flaws. On the same day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-34926 to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by June 4, 2026.
CISA tracks 12 Trend Micro Apex vulnerabilities that have been or are still being abused in attacks. This latest addition continues a pattern of threat actors targeting Apex One in zero-day attacks. Trend Micro previously warned of an actively exploited Apex One remote code execution bug in August 2025 and addressed two separate zero-days in September 2022 and September 2023.
How to Patch CVE-2026-34926
Apply the correct update based on your deployment type.
Apex One On-Premises
| Scenario | Required Build |
|---|---|
| Existing SP1 installation | SP1 Critical Patch Build 18012 |
| New install | SP1 Build 17079 |
| Minimum agent build | 14.0.0.17079 |
Note: Trend Micro originally released CP 17079 for existing SP1 users but pulled it due to an unrelated issue. If you already applied CP 17079, your system is protected. The replacement CP 18012 is now the correct update for all existing SP1 installations going forward.
Apex One as a Service and Vision One SEP
| Product | Required Agent Build |
|---|---|
| Apex One as a Service | 14.0.20731 |
| Vision One Standard Endpoint Protection | 14.0.20731 |
SaaS agent updates deploy automatically in most configurations. Verify your agent versions through the Apex One console after the update window passes to confirm all endpoints have received the correct build.
Trend Micro recommends installing the latest available build rather than stopping at the minimum required version.
Other Vulnerabilities Fixed in This Bulletin
Trend Micro addressed seven vulnerabilities in total in this bulletin, spanning CVE-2026-34926 through CVE-2026-34930 and CVE-2026-45206 through CVE-2026-45208.
The remaining six flaws are local privilege escalation vulnerabilities in the Apex One Standard Endpoint Protection agent. An attacker who can execute low-privileged code on a target system can exploit these flaws to gain higher system privileges. CVSS scores for these flaws range from 6.7 to 7.8, placing them in the Medium to High severity range.
All seven vulnerabilities are addressed in the same builds listed above. Applying the patch for CVE-2026-34926 also covers the privilege escalation flaws.
Related Guides
- Apache ActiveMQ CVE-2026-34197 Remote Code Execution Flaw Leaves 6,400 Servers Exposed to Active Attacks
- FortiSIEM Vulnerability CVE-2025-64155 Actively Exploited: How to Protect Your Systems
- Attackers Are Using Microsoft Defender Against You: Fix CVE-2026-41091 and CVE-2026-45498 Now
Apex One is enterprise security software, and a compromised Apex One server gives attackers reach across every managed endpoint in the network. Trend Micro confirmed active exploitation is already happening. CISA’s June 4 deadline applies to federal agencies, but the real deadline for every organization running Apex One on-premises is right now. Apply CP Build 18012 for existing SP1 installations, verify agent builds hit 14.0.0.17079 or higher, and check SaaS agent versions if you run Apex One as a Service.
