CVE-2026-34926 — Trend Micro Apex One On-Premise: post-auth directory traversal by admin-credential holder injects code deployed fleet-wide to all managed agents (CISA KEV, ITW)
From CTI Daily Brief — 2026-05-22 · published 2026-05-22 · view item permalink →
CVE-2026-34926 (CVSS 6.7, CWE-23 Relative Path Traversal) affects Apex One On-Premise server and agent builds below 17079. An authenticated attacker who has already obtained administrative credentials to the Apex One management server traverses the directory structure to modify a key table, injecting malicious code that the management server then distributes to all enrolled agent endpoints via the product's built-in update mechanism — one compromised management console results in fleet-wide code execution on every managed endpoint. The exploitation prerequisite (admin credentials to the Apex One server) does not reduce urgency: CISA added CVE-2026-34926 to KEV on 2026-05-21 following confirmed ITW exploitation, and management server admin accounts are a high-value target for credential theft campaigns. JPCERT/CC confirmed exploitation in the wild on 2026-05-22; CISA added CVE-2026-34926 to KEV on 2026-05-21. Fixed: server and agent build 17079 per Trend Micro KA-0023430. The Apex One as a Service (SaaS) variant is not affected. Until patched, restrict local-network access to the Apex One management console to a dedicated management VLAN; treat the console host as Tier-0 infrastructure given its fleet-wide code distribution capability. Technique: T1574 Hijack Execution Flow via trusted software update path.