CISA added CVE-2026-34926, a directory traversal flaw in Trend Micro Apex One (on-premise), to its Known Exploited Vulnerabilities catalog on 2026-05-21, giving federal agencies until 2026-06-04 to remediate.
What Is It
CVE-2026-34926 is a directory traversal vulnerability (CWE-23) in the Apex One (on-premise) server. According to Trend Micro and NVD, a pre-authenticated local attacker can modify a key table on the server to inject malicious code that is then deployed out to managed agents. Exploitation requires that the attacker already has access to the Apex One Server and has obtained administrative credentials by some other means. The flaw carries a CVSS 3.1 base score of 6.0 (MEDIUM), vector AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L, local attack vector, high attack complexity, and high privileges required, with a scope change capturing the path from server compromise to downstream agent impact.
Why It Matters
Although the prerequisites are steep, CISA's inclusion of the CVE in the KEV catalog on 2026-05-21 indicates the agency has evidence consistent with in-the-wild exploitation, per KEV inclusion criteria. The scope-changed impact is the operationally important part: a compromised Apex One server can be used to push attacker-controlled code to every endpoint agent it manages, turning an endpoint security platform into a distribution channel. Known ransomware campaign use is currently listed as "Unknown" in the KEV entry.
What's Vulnerable
- Trend Micro Apex One, on-premise version only. The NVD description explicitly notes the cloud/SaaS version is not exploitable.
- Affected component: the Apex One server's handling of a key table, reachable via directory traversal.
Patch Status
Trend Micro has published guidance in solution articles KA-0023430 (English) and KA-0022974 (Japanese). JPCERT/CC has also issued an advisory (AT260014) and JVN tracking (JVNVU90583059). CISA's required action per BOD 22-01: apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Federal due date: 2026-06-04.