Sonstige Informationen und Dienstleistungen der Regierung: www.belgium.be Centre for Cybersecurity Belgium

Warning: Multiple vulnerabilities in TrendAI Apex One and TrendAI Vision One SEP, actively exploited, Patch Immediately!

Image
Decorative image
Veröffentlicht : 26/05/2026
  • Last update:  22/05/2026
  • Affected software:
    → TrendAI Apex One
    → TrendAI Vision One Standard Endpoint Protection (SEP)
  • Type:
    → Elevation of Privilege (CVE-2026-34927-CVE-2026-34930 + CVE-2026-45206- CVE-2026-45208)
    → Remote Code Execution (CVE-2026-34926)
  • CVE/CVSS: CVE-2026-20223: CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
    → CVE-2026-34926: CVSS 6.7 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L)
    → CVE-2026-34927: CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
    → CVE-2026-34928: CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
    → CVE-2026-34929: CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
    → CVE-2026-34930: CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
    → CVE-2026-45206: CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
    → CVE-2026-45207: CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
    → CVE-2026-45208: CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

 

Sources

Risks

TrendAI Apex One is an endpoint protection providing antivirus, behavioral analysis, ransomware defense, and centralized policy control for enterprise devices. Trend Vision One - Standard Endpoint Protection (SEP) is a cloud-native endpoint protection service within Trend Vision One, combining Apex One protection capabilities with integrated XDR visibility.

CVE-2026-34926 is a directory traversal vulnerability in the Apex One on-premise server which allows a pre-authenticated local attacker to inject malicious code to deploy to agents on affected installations. In addition 6 local privilege escalation vulnerabilities affecting Apex One agent builds and TrendAI Vision One Endpoint Security - Standard Endpoint Protection (SEP) were patched.

TrendAI has observed at least one instance of an attempt to exploit CVE-2026-34926. Further exploitation is likely, considering the large possible impact of combining these vulnerabilities. Patching is urgent and should be done as fast as possible. There is a high impact on confidentiality, integrity and availability.

Description

CVE-2026-34926 is a directory traversal vulnerability in Apex One that is exploitable by a local attacker with admin credentials. In this case, the attacker is able to modify a key table on the server to inject malicious code to deploy to agents on affected installations. TrendAI has observed at least one attempt to exploit this vulnerability in the wild.

Vulnerabilities CVE-2026-34927 through CVE-2026-34930 and CVE-2026-45206 through CVE-2026-45207 are origin validation vulnerabilities in the ApexOne (On Premise + SaaS)/SEP Security Agent that allow a local attacker with the ability to execute low-privileged code on the target system, to escalate their privileges. The different CVEs reflect the fact that this vulnerability is present in multiple different mechanisms and places in the code. :An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
 
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.