Actively exploited Trend Micro Apex One flaw gets CISA warning (CVE-2026-34926)

A relative directory path traversal vulnerability (CVE-2026-34926) in Trend Micro’s Apex One platform has been exploited in zero-day attacks, the company confirmed.

“TrendAI has observed at least one attempt to exploit this vulnerability in the wild,” Trend Micro noted, and credited the incident response team of its TrendAI enterprise cybersecurity business for reporting it.

About Trend Micro Apex One

Trend Micro Apex One is a security platform that protects all the devices in an organization from cyber threats.

The solution relies on lightweight agents installed on organizations’ laptops, desktops, and servers, which quietly monitor for threats and can automatically block or quarantine anything suspicious.

All these agents report back to a central server, through which IT teams manage security policies, investigate incidents, and keep an eye on the devices.

About CVE-2026-34926

CVE-2026-34926 and seven additional vulnerabilities affecting Apex One security agents were disclosed by Trend Micro last week, but only CVE-2026-34926 was flagged as actively exploited.

“This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability,” the company noted.

Once exploited, the vulnerability allows this “pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.” A trusted distribution channel may therefore become a malware distribution channel.

What to do?

Trend Micro has yet to share details about the attack its experts responded to, but has urged customers to update their on-prem Apex One server deployments and security agents as soon as possible.

“In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date,” the company added.

It’s also a good idea to check whether only authorized users have access to and admin privileges on the Apex One Server console.

Customers using Trend Micro Apex One as a Service and TrendAI Vision One Endpoint Security – Standard Endpoint Protection should implement the security agent patches, as the server-side vulnerabilities have been patched by Trend Micro in April.

The US Cybersecurity and Infrastructure Security Agency added CVE-2026-34926 to its Known Exploited Vulnerabilities catalog, and ordered US federal civilian agencies to implement the patches by June 4, 2026.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!