The Vulnerability and Its Exploitation
Trend Micro has released emergency security updates to address a critical vulnerability in its Apex One enterprise endpoint security platform. The flaw, a directory traversal weakness in the Apex One on-premises server, allows a local attacker who has already obtained administrative credentials to inject malicious code. This malicious code can then be pushed to managed agents across the organization.
While the exploitation requirements are restrictive, requiring prior administrative access to the server, Trend Micro confirmed through its TrendAI threat detection system that at least one real attempt to exploit this vulnerability has been observed in the wild. The issue specifically affects the on-premises version of Apex One and does not impact the cloud-hosted variant, shifting the remediation responsibility to IT administrators managing their own infrastructure.
Government Response and Broader Context
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, ordering all federal agencies to apply the available patches by June 4. CISA warned that such directory traversal flaws are frequently leveraged by malicious cyber actors because they can be used to bypass security controls and gain persistent access to enterprise networks.
This is not the first time Trend Micro has responded to active attacks against Apex One. The company previously patched a critical remote code execution bug in August 2025 and has addressed two other zero days exploited in the wild in 2022 and 2023. In addition to this directory traversal issue, Trend Micro also released fixes for seven local privilege escalation vulnerabilities in the Apex One Standard Endpoint Protection agent, which could be exploited by an attacker with low level code execution rights.
Source: BleepingComputer
