CVE-2026-34926
published 2026-05-21CVE-2026-34926: A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to…
PriorityP180medium6.7CVSS 3.1
AVLACHPRHUINSCCHILAL
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-04
Exploited in the wild
EPSS
12.68%
95.8th percentile
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.
This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro_inc | trendai_apex_one | >= 2019 (14.0) < 14.0.0.17079 | 14.0.0.17079 |
| trend_micro_inc | trendai_apex_one_as_a_service | >= SaaS < 14.0.20731 | 14.0.20731 |
| trendmicro | apex_one | < 14.0.0.17079 | 14.0.0.17079 |
| trendmicro | apex_one | < 14.0.20731 | 14.0.20731 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2026-34926 exploitation targets Windows systems running Trend Micro Apex One on-premises server; monitor for directory traversal activity against the Apex One server's key table ↗
- →Attacker must have already obtained administrative credentials to the Apex One server prior to exploitation; monitor for anomalous admin-level access to Apex One server followed by key table modifications ↗
- →TrendAI telemetry confirmed at least one active in-the-wild exploitation attempt; treat any unexpected agent deployments or code pushes from the Apex One server as potentially malicious ↗
- →The vulnerability allows injecting malicious code into a key table on the server which is then deployed to managed agents; monitor agent update/deployment events for unexpected or unsigned payloads ↗
- →CISA KEV listing confirms active exploitation; FCEB agencies required to patch by June 4, 2026 — treat unpatched on-premise Apex One servers as high-priority targets ↗
- ·Vulnerability is exclusively exploitable on the on-premise version of Apex One; cloud-hosted deployments are not affected ↗
- ·Exploitation requires pre-existing administrative credentials to the Apex One server obtained through a separate, prior compromise — this is not a standalone unauthenticated attack vector ↗
- ·Vendor patch guidance and additional technical details are available at the Trend Micro knowledge base article referenced in the CISA KEV entry ↗
CVSS provenance
nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
vulncheck6.7MEDIUM
cisa6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Trend Micro TrendAI Apex One/TrendAI Apex One as a Service path traversal (EUVD-2026-31284)
vuldb·2026-05-21·CVSS 6.7
CVE-2026-34926 [MEDIUM] Trend Micro TrendAI Apex One/TrendAI Apex One as a Service path traversal (EUVD-2026-31284)
A vulnerability classified as problematic has been found in Trend Micro TrendAI Apex One and TrendAI Apex One as a Service. This affects an unknown function. The manipulation leads to relative path traversal.
This vulnerability is documented as CVE-2026-34926. The attack needs to be performed locally. Additionally, an exploit exists.
It is recommended to upgrade the affected component.
GHSA
GHSA-4ccp-cqrh-3w9v: A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the se
ghsa_unreviewed·2026-05-21
CVE-2026-34926 [MEDIUM] CWE-23 GHSA-4ccp-cqrh-3w9v: A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the se
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.
This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.
VulnCheck
Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability
vulncheck·2026·CVSS 6.7
CVE-2026-34926 [MEDIUM] CWE-23 Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability
Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability
Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.
Affected: Trend Micro Apex One
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://jvn.jp/en/vu/JVNVU90583059/; https://success.trendmicro.com/en-US/solution/KA-0023430; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2026-06-04
CISA
Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability
cisa·2026-05-21·CVSS 6.7
CVE-2026-34926 [MEDIUM] CWE-23 Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability
Vulnerability: Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability
Affected: Trend Micro Apex One
Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://success.trendmicro.com/en-US/solution/KA-0023430 ; https://nvd.nist.gov/vuln/detail/CVE-2026-34926
Remediation Due Date: 2026-06-04
No detection rules found.
No public exploits indexed.
Checkpoint
25th May – Threat Intelligence Report
blogs_checkpoint·2026-05-25
CVE-2026-41091 25th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 25th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 25th May, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
7-Eleven, the global convenience store chain, confirmed a breach after an unauthorized access to systems used for franchisee documents. ShinyHunters claimed responsibility and said it stole more than 600,000 Salesforce records containing personal and corporate information, with affected individuals offered identity protection serv
Hackernews
⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
blogs_hackernews·2026-05-25
CVE-2026-46333 ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Monday recap. Same mess, new week.
A sketchy dev tool got people pwned, old bugs came back from the dead, and security products somehow needed protecting from themselves. A bunch of companies spent the week checking old boxes and forgotten servers they should've patched years ago. Good times.
Phishing crews are getting smarter too - less obvious scam junk, more targeted stuff that actually looks real. Meanwhile, botnets are grabbing anything exposed to the internet like it's free candy. The Internet's still a dumpster fire.
Let’s get into
Hackernews
CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV
blogs_hackernews·2026-05-22·CVSS 9.4
CVE-2025-34291 [CRITICAL] CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.
The vulnerabilities in question are listed below -
CVE-2025-34291 (CVSS score: 9.4) - An origin validation error vulnerability in Langflow that could allow an attacker to execute arbitrary code and achieve full system compromise.
CVE-2026-34926 (CVSS score: 6.7) - A directory traversal vulnerability in on-prem
Bleepingcomputer
Trend Micro warns of Apex One zero-day exploited in the wild
blogs_bleepingcomputer·2026-05-22·CVSS 6.7
CVE-2026-34926 [MEDIUM] Trend Micro warns of Apex One zero-day exploited in the wild
## Trend Micro warns of Apex One zero-day exploited in the wild
## Sergiu Gatlan
Japanese cybersecurity software company Trend Micro has addressed an Apex One zero-day vulnerability exploited in attacks targeting Windows systems.
Apex One is Trend Micro's enterprise-grade endpoint security platform that protects corporate networks from a wide range of security threats, including malware, ransomware, fileless attacks, and web-based threats.
Tracked as CVE-2026-34926 , this directory traversal vulnerability in the Apex One (on-premises) server allows local attackers with admin privileges to inject malicious code.
"A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious
2026-05-21
Published
2026-05-21
Added to CISA KEV
Exploited in the wild