ctipilot.ch

Home · Live brief · Daily brief 2026-05-22

CVE-2026-34926 — Trend Micro Apex One On-Premise: post-auth directory traversal by admin-credential holder injects code deployed fleet-wide to all managed agents (CISA KEV, ITW)

critical vulnerability discovered 2026-05-22 05:00 UTC

Part of run 2026-05-22-5b90d5a1 (intel · Claude Sonnet 4.6)

CVE-2026-34926 (CVSS 6.7, CWE-23 Relative Path Traversal) affects Apex One On-Premise server and agent builds below 17079. An authenticated attacker who has already obtained administrative credentials to the Apex One management server traverses the directory structure to modify a key table, injecting malicious code that the management server then distributes to all enrolled agent endpoints via the product's built-in update mechanism — one compromised management console results in fleet-wide code execution on every managed endpoint. The exploitation prerequisite (admin credentials to the Apex One server) does not reduce urgency: CISA added CVE-2026-34926 to KEV on 2026-05-21 following confirmed ITW exploitation, and management server admin accounts are a high-value target for credential theft campaigns. JPCERT/CC confirmed exploitation in the wild on 2026-05-22; CISA added CVE-2026-34926 to KEV on 2026-05-21. Fixed: server and agent build 17079 per Trend Micro KA-0023430. The Apex One as a Service (SaaS) variant is not affected. Until patched, restrict local-network access to the Apex One management console to a dedicated management VLAN; treat the console host as Tier-0 infrastructure given its fleet-wide code distribution capability. Technique: T1574 Hijack Execution Flow via trusted software update path.

“Trend Micro Incorporated has reported that attacks exploiting the relative path traversal vulnerability in TrendAI Apex One(On Premise) (CVE-2026-34926) have been observed in the wild.” — JPCERT/CC

“a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.” — HKCERT

Action items

  • Patch Trend Micro Apex One On-Premise to server/agent build 17079 — CVE-2026-34926 is actively exploited ITW (JPCERT, 2026-05-22); a compromised management console deploys attacker code to all managed endpoints. Verify version via Apex One management console's product version page; apply KA-0023430. Treat the Apex One server host as Tier-0 — restrict management VLAN access before patch is applied.
vulnerabilities actively-exploited cisa-kev patch-available global CVE-2026-34926