CVE-2026-34926 is a directory traversal vulnerability in the Trend Micro Apex One on-premises server that permits a pre-authenticated local attacker with administrative privileges to modify a critical server table to inject malicious code. This code can then be deployed to agents on affected installations. Exploitation requires access to the Apex One server and administrative credentials obtained through other means. Trend Micro confirmed at least one observed attempt to exploit this zero-day in the wild. The vulnerability does not affect cloud versions of Apex One. CISA has added this vulnerability to its list of actively exploited flaws and ordered federal agencies to patch by June 4, 2026. Trend Micro has released security updates to remediate this and related privilege escalation issues in Apex One.

Successful exploitation allows an attacker with administrative access to the Apex One on-premises server to inject malicious code that can be deployed to endpoint agents, potentially compromising the security of protected systems. The vulnerability is significant because it enables code injection via directory traversal, but exploitation is constrained by the need for prior administrative credentials and local access to the server. The vulnerability has been observed exploited in the wild, indicating active threat. Federal agencies are required to patch promptly due to the risk posed.

Trend Micro has released security updates that address CVE-2026-34926 and related privilege escalation vulnerabilities in Apex One. Organizations using the on-premises Apex One server should apply these updates immediately. CISA has mandated federal agencies to patch by June 4, 2026. Since exploitation requires administrative credentials, organizations should also ensure strong access controls and credential management for the Apex One server. No mitigations beyond patching and credential protection are specified. Patch status is confirmed as fixed by Trend Micro's security updates.