Technical description
Trend Micro Apex One (on-premise) server contains a directory traversal vulnerability (CWE-23) that allows a pre-authenticated local attacker with administrative credentials to modify a key table on the server to inject malicious code for deployment to agents on affected installations. CVSS 3.1 score: 6.7 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L). This vulnerability is only exploitable on the on-premise version of Apex One; the SaaS version is not affected.
Attack vector
An attacker who has already obtained local administrative access to the Apex One server via some other method can exploit the directory traversal flaw to reach files outside the intended path, modify a key table, and inject malicious code. Because Apex One is endpoint security management software, the injected code is then distributed to managed agents across the enterprise, enabling widespread compromise from a single server-level breach.
Affected systems
Apex One (on-premise) server and agent builds prior to 2019 build 17079. Organizations using on-premise Apex One deployments for endpoint security management.
Mitigation
Upgrade Apex One on-premise to SP1 CP Build 18012 (for existing SP1 users) or SP1 Build 17079 (for new installs), and ensure agent build is at least 14.0.0.17079. Apply mitigations per Trend Micro advisory KA-0023430. Federal civilian agencies must apply mitigations by June 4, 2026, per CISA KEV requirement.