cbcvebase.
CVE-2026-34926
published 2026-05-21

CVE-2026-34926: A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to…

PriorityP180medium6.7CVSS 3.1
AVLACHPRHUINSCCHILAL
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-04
Exploited in the wild
EPSS
12.68%
95.8th percentile
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.

Affected

4 ranges
VendorProductVersion rangeFixed in
trend_micro_inctrendai_apex_one>= 2019 (14.0) < 14.0.0.1707914.0.0.17079
trend_micro_inctrendai_apex_one_as_a_service>= SaaS < 14.0.2073114.0.20731
trendmicroapex_one< 14.0.0.1707914.0.0.17079
trendmicroapex_one< 14.0.2073114.0.20731

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-34926 exploitation targets Windows systems running Trend Micro Apex One on-premises server; monitor for directory traversal activity against the Apex One server's key table
  • Attacker must have already obtained administrative credentials to the Apex One server prior to exploitation; monitor for anomalous admin-level access to Apex One server followed by key table modifications
  • TrendAI telemetry confirmed at least one active in-the-wild exploitation attempt; treat any unexpected agent deployments or code pushes from the Apex One server as potentially malicious
  • The vulnerability allows injecting malicious code into a key table on the server which is then deployed to managed agents; monitor agent update/deployment events for unexpected or unsigned payloads
  • CISA KEV listing confirms active exploitation; FCEB agencies required to patch by June 4, 2026 — treat unpatched on-premise Apex One servers as high-priority targets
  • ·Vulnerability is exclusively exploitable on the on-premise version of Apex One; cloud-hosted deployments are not affected
  • ·Exploitation requires pre-existing administrative credentials to the Apex One server obtained through a separate, prior compromise — this is not a standalone unauthenticated attack vector
  • ·Vendor patch guidance and additional technical details are available at the Trend Micro knowledge base article referenced in the CISA KEV entry

CVSS provenance

nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
vulncheck6.7MEDIUM
cisa6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.