Trend Micro Apex One CVE-2026-34926: KEV Server Build Exposure

Suspected
Discovered May 26, 2026

CISA added Trend Micro Apex One CVE-2026-34926 to KEV on 2026-05-21. Trend Micro reports at least one in-the-wild attempt and fixed builds 17079, 18012, and 14.0.20731; this article provides build-export and agent-deployment audit scripts.

0
Affected Packages
0
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

CISA added CVE-2026-34926 to KEV on 2026-05-21 with a due date of 2026-06-04 CISA KEV opens in a new tab. Trend Micro states that the issue affects Apex One on-premise servers and can allow a pre-authenticated local attacker with server access and administrative credentials to modify a key table and inject code deployed to agents Trend Micro opens in a new tab.

Trend Micro also states it observed at least one attempt to exploit CVE-2026-34926 in the wild Trend Micro opens in a new tab.

Key Facts

Cve: CVE-2026-34926

Vendor: Trend Micro

Product: Apex One on-premise

Kev Added: 2026-05-21

Kev Due: 2026-06-04

Vulnerability: Apex One Server directory traversal

Cwe:

  • CWE-23

Affected Versions:

  • Apex One 2019 on-prem Server and Agent builds below 17079
  • Apex One as a Service / Trend Vision One SEP agent builds below 14.0.20731

Fixed Versions:

  • Apex One on-prem SP1 CP Build 18012 for existing SP1 users
  • Apex One on-prem SP1 Build 17079 for new installs
  • Security Agent build 14.0.20731

Cvss V31: 6.7 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L

Exploitation Status: vendor_observed_at_least_one_attempt_in_the_wild

Zero Day Status: vendor_reported_in_the_wild_attempt

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRemediation triggerClosure condition
Confirmed compromiseApex One server or agent telemetry shows key-table modification, server-side code injection, or unexplained agent deployment on an affected build.Server build, admin session, deployment event, affected agent set, and timestamped evidence.Preserve Apex One server logs, package deployment artifacts, and administrative login records.Fixed build is verified and downstream agent-deployment audit has no unexplained deployment chain.
Presumed exposedApex One on-prem server or agent build is below 17079, existing SP1 lacks CP Build 18012, or SaaS/SEP agent is below 14.0.20731.Product-console export, endpoint inventory, or scanner row with exact build.Keep the server and managed agents in scope until fixed-build proof exists.Build-export verifier returns no vulnerable rows.
Potentially exposedApex One appears in inventory but build, deployment type, or server access evidence is incomplete.CMDB, EDR, product-console, scanner, or endpoint evidence naming Apex One.Collect exact server and agent builds.Asset resolves to confirmed compromise, presumed exposed, not exposed, or unknown.
Not exposedNo Apex One server, agent, scanner row, or CVE-2026-34926 selector appears in complete exports.Negative outputs from product-console, EDR, and scanner exports.None for this CVE.Evidence bundle covers Apex One servers and managed agents.
UnknownProduct-console or endpoint build exports are unavailable.Gap statement naming the unavailable export.Keep Apex One servers in scope until build evidence is recovered.Evidence is recovered or the risk owner accepts the named gap.

What Happened

The exploit path is local and constrained, but the blast radius is large because Apex One servers manage code deployment to agents. The highest-value evidence is server build, agent build, administrative access to the server, and package or agent deployment records around the exposure window.

Technical Analysis

Trend Micro's advisory scopes exploitation to the on-premise Apex One server and says an attacker must already have server access and administrative credentials through another path Trend Micro opens in a new tab. That makes this less useful as an internet-wide unauthenticated scan item and more useful as a security-tool control-plane abuse check. [1]

Affected Assets and Blast Radius

Asset Selectors:

  • Apex One
  • Trend Micro Apex One
  • Trend Vision One Endpoint Security
  • CVE-2026-34926

Build Selectors:

  • 17079
  • 18012
  • 14.0.20731

Downstream Assets:

  • Apex One server administrative sessions
  • Apex One agent package deployment history
  • Windows endpoints managed by affected Apex One servers

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Remediation and Closure

The following Python script is provided to scan, verify, or query the system telemetry:

#!/usr/bin/env python3
import csv
import json
import os
import re
import sys
from pathlib import Path

ASSET_EXPORT = Path(os.environ.get("ASSET_EXPORT", sys.argv[1] if len(sys.argv) > 1 else "apex-one-assets.csv")).resolve()
OUT = Path(os.environ.get("OUT", "hp-apex-one-cve-2026-34926-closure")).resolve()
CVE = "CVE-2026-34926"
SOURCE = "https://success.trendmicro.com/en-US/solution/KA-0023430"

def vt(value):
    return tuple(int(x) for x in re.findall(r"\d+", str(value))[:5])

def ge(left, right):
    l, r = vt(left), vt(right)
    width = max(len(l), len(r), 1)
    return l + (0,) * (width - len(l)) >= r + (0,) * (width - len(r))

def load_rows(path):
    if not path.exists():
        raise SystemExit(f"ASSET_EXPORT not found: {path}")
    if path.suffix.lower() == ".csv":
        with path.open(newline="", encoding="utf-8", errors="ignore") as handle:
            return list(csv.DictReader(handle))
    data = json.loads(path.read_text(encoding="utf-8", errors="ignore"))
    return data if isinstance(data, list) else next((data[k] for k in ("assets", "agents", "servers", "findings", "rows") if isinstance(data.get(k), list)), [])

OUT.mkdir(parents=True, exist_ok=True)
results = []
for idx, row in enumerate(load_rows(ASSET_EXPORT), start=1):
    text = json.dumps(row, sort_keys=True)
    if "Apex One" not in text and "CVE-2026-34926" not in text:
        continue
    version = ""
    match = re.search(r"(?<!\d)(14\.0\.\d+|\d{5})(?!\d)", text)
    if match:
        version = match.group(1)
    fixed = False
    if version.isdigit():
        fixed = int(version) >= 17079 or int(version) >= 18012
    elif version:
        fixed = ge(version, "14.0.20731")
    results.append({"row": idx, "cve": CVE, "source": SOURCE, "detected_build": version, "fixed_build_proven": fixed, "row_data": row})

(OUT / "apex-one-cve-2026-34926-build-verification.json").write_text(json.dumps(results, indent=2, sort_keys=True), encoding="utf-8")

# Remediation trigger: fixed_build_proven false for any Apex One server or agent row keeps CVE-2026-34926 open.
print(json.dumps({"out": str(OUT), "checked": len(results), "not_closed": [r for r in results if not r["fixed_build_proven"]]}, indent=2))

Downstream Abuse Audits

Compromised workstations expose active API credentials, requiring immediate rotated revocation. The following platforms are at risk:

  • GitHub OIDC and PATs: Attackers harvested SSH private keys and Git Personal Access Tokens. Auditors must inspect recent action runs and release logs during the exposure window.
  • Cloud IAM Credentials: AWS, Azure, and GCP session tokens. CloudTrail and Activity Logs should be queried for AssumeRole or write operations originating from unexpected IP addresses.
  • NPM and Package Registries: Publishing tokens and credentials. Registry profiles must be audited for unauthorized version publishes or token additions.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
May 26, 2026DisclosureDisclosure recorded for Trend Micro Apex One CVE-2026-34926: KEV Server Build Exposure.nvd.nist.gov
May 26, 2026First seenFirst seen recorded for Trend Micro Apex One CVE-2026-34926: KEV Server Build Exposure.nvd.nist.gov
May 26, 2026DiscoveryDiscovery recorded for Trend Micro Apex One CVE-2026-34926: KEV Server Build Exposure.nvd.nist.gov
May 26, 2026Trend Micro Apex One CVE-2026-34926: KEV Server Build ExposureUnknownnvd.nist.gov

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Trend Micro Apex One CVE-2026-34926: KEV Server Build Exposure?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabnvd.nist.gov

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Trend Micro Apex One CVE-2026-34926: KEV Server Build Exposure?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-trend-micro-apex-one-cve-2026-34926-kev-scope"))


# Collect unique indicators
indicators = set()
for group in []:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
nvd.nist.govSecurity Researcher95%1CISA added Trend Micro Apex One CVE-2026-34926 to KEV on 2026-05-21. Trend Micro reports at least one in-the-wild attempt and fixed builds 17079, 18012, and 14.0.20731; this article provides build-export and agent-deployment audit scripts.
cisa.govSecurity Researcher95%1CISA added Trend Micro Apex One CVE-2026-34926 to KEV on 2026-05-21. Trend Micro reports at least one in-the-wild attempt and fixed builds 17079, 18012, and 14.0.20731; this article provides build-export and agent-deployment audit scripts.
success.trendmicro.comSecurity Researcher95%1CISA added Trend Micro Apex One CVE-2026-34926 to KEV on 2026-05-21. Trend Micro reports at least one in-the-wild attempt and fixed builds 17079, 18012, and 14.0.20731; this article provides build-export and agent-deployment audit scripts.