6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-34926 is a directory traversal vulnerability affecting Trend Micro Apex One Server and endpoint protection agents, with confirmed exploitation and inclusion in CISA’s KEV catalog. The issue allows attackers with sufficient privileges to manipulate file paths outside intended directories, potentially exposing sensitive data and impacting system integrity. Organizations should urgently upgrade to patched versions, restrict access to management interfaces, and monitor for suspicious file access or administrative activity.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Trend Micro Apex One Server Directory Traversal Vulnerability
Identifier: CVE-2026-34926
PoC or Exploitation: Trend Micro reported at least one attempt to exploit CVE-2026-34926 in the wild. The vulnerability has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
CVSS Score: 6.7 (Medium, CVSS v3.1)
CVSS Vector: AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
Update / Patch: Trend Micro has released fixes addressing this vulnerability.
Affected versions include:
- Apex One Server and Agent builds earlier than 17079
- Apex One as a Service and TrendAI Vision One Endpoint Security – Standard Endpoint Protection Agent builds earlier than 14.0.20731
Fixed versions include:
- Apex One SP1 Build 17079
- Apex One SP1 Critical Patch Build 18012
- Apex One as a Service / TrendAI Vision One Endpoint Security – Standard Endpoint Protection Agent build 14.0.20731
Trend Micro advisory and patch guidance:
https://success.trendmicro.com/en-US/solution/KA-0023430
Description:
CVE-2026-34926 is a directory traversal vulnerability affecting Trend Micro Apex One Server and related endpoint protection components.
The vulnerability may allow an attacker under specific conditions to manipulate file paths outside the intended directory structure.
Mitigation Recommendation:
Immediately upgrade Apex One Server and endpoint agents to fixed versions released by Trend Micro.
Prioritize remediation activities due to confirmed exploitation attempts and CISA KEV inclusion.
Review Apex One management infrastructure exposure and restrict unnecessary access paths.
Validate segmentation controls and management interface accessibility.
Confirm all agents and management servers are updated to patched builds.
Monitor endpoint management environments for unusual file access activity, abnormal administrative actions, and indicators associated with directory traversal attempts.
