Apex One Hit by 14 Vulnerabilities; Console Hijack Could Reach All Company PCs

Trend Micro has disclosed multiple critical vulnerabilities in its enterprise antivirus software "Apex One". A total of 14 CVEs were released in stages between February and May 2026. Two of them carry the maximum-tier severity rating of CVSS 9.8, meaning attackers can hijack the management console without logging in and potentially push malware to every PC across the company.

Apex One is Trend Micro's flagship product, which holds the top domestic market share among Japanese enterprise antivirus solutions and is the successor to the former "Virus Buster Corporate Edition". With major Japanese system integrators such as Fujitsu, NEC, and Otsuka Shokai handling distribution, it is effectively a "standard installation" in Japanese corporate IT, and the impact scope is enormous.

On May 21, 2026, seven new CVEs were added to the U.S. National Vulnerability Database (NVD), bringing the full picture into view together with the seven that had been disclosed earlier. What is more concerning is that Apex One has previously been hit by zero-day attacks (exploitation before a patch is available), and CISA's "Known Exploited Vulnerabilities (KEV)" catalog already lists 10 Apex-related entries.

What is Apex One?

Apex One is an "endpoint security" product that companies deploy to protect internal PCs and servers from viruses and cyber attacks. In plain terms, it is software that runs resident on each employee's PC and detects and blocks suspicious files and communications.

What sets it apart from the consumer-grade "Virus Buster" is that it comes with a "management console" that lets administrators centrally manage every PC in the company. Information systems staff use this console to issue simultaneous instructions to agents on hundreds or thousands of in-house PCs — distributing virus definition files, running scans, adding quarantine targets, and so on.

Apex One comes in two flavors: an "on-premises" version that runs on the company's own servers, and a cloud-based "SaaS version (Trend Vision One)". The most critical vulnerability hits the former — that is, the case where a company runs the management console on its own servers.

Apex One is distributed by major Japanese SIers and resellers including Fujitsu, NEC, Otsuka Shokai, SB C&S, Chibagin Computer Service, and Networld, and is widely adopted in government agencies, financial institutions, and the IT departments of manufacturers.

The two most critical: hijacking the management console without login

Of the 14 vulnerabilities disclosed this time, the most serious are CVE-2025-71210 and CVE-2025-71211. Both are classified at the highest-tier severity of "CVSS 9.8", almost a perfect 10.

They are a type of flaw called "directory traversal", where attackers can craft file path specifications to upload files to locations where writing should be forbidden. The Apex One management console performs this check loosely, leaving it in a state where arbitrary code can be executed without going through login authentication.

If exploited, the attacker obtains the same privileges as an administrator. To be concrete, the following scenarios become realistic.

The nasty part is that the security software itself gets hijacked. Apex One installed on each employee's PC trusts "instructions from our own management console" — so once that console falls into attacker hands, it is no longer a security measure but a launchpad for attacks.

Trend Micro cites "having access to the management console" as a precondition for the attack to succeed. If the console is confined to the internal LAN it cannot be reached directly from outside, but if it is exposed to the internet for remote work, the risk jumps dramatically.

The remaining 12: agent-side privilege escalation

The remaining 12 vulnerabilities relate to the "agent" (the resident program) running on employee PCs, all rated CVSS 7.8 (severity "High"). These assume the attacker has already gained the ability to execute low-privileged code on that PC by some means.

From there, by combining these flaws an attacker can escalate from a normal user account to SYSTEM (the highest-privileged account on Windows). With SYSTEM privileges, anything is possible on that PC. This is the textbook "next move" for an attacker who has broken in via phishing email and wants to fully take over the employee PC.

Disclosing nine agent-side vulnerabilities at once is an unusual number, and the batch published to NVD today (CVE-2026-34927 and later) corresponds to Trend Micro's advisory KA-0023430.

A heavy precedent of past zero-day attacks

Trend Micro states that "no evidence of exploitation has been confirmed" for these 14 vulnerabilities at this time. But for Apex One, "no exploitation" is not a comforting label, given the past trajectory.

In August 2025, when another command injection flaw "CVE-2025-54948" was discovered in the Apex One management console, Trend Micro announced that "attacks had already been observed before the patch was released". A classic zero-day attack.

On August 18, 2025, CISA added it to the Known Exploited Vulnerabilities (KEV) catalog and required U.S. federal agencies to remediate by September 8. The reporter was Jacky Hsieh of Taiwan-based CoreCloud Tech — the same researcher as this time — and Chinese state-sponsored actors targeting Taiwan were suspected of involvement.

As of today, CISA KEV lists a cumulative 10 Apex-related vulnerabilities. The management console of an endpoint security product is an extremely attractive target for attackers. Once hijacked, they can send commands through legitimate channels to every PC in the company — via the very software that was supposed to defend it.

"Two more RCE flaws have surfaced in the same management console that was previously hit by zero-day attacks" — that is the essence of this disclosure. There is ample motivation for attackers to target the same console again.

Timeline of the Apex One vulnerability story

← swipe to navigate

Affected products and patches

The affected products and patch status are summarized below.

The urgent one is the on-premises version. Applying Critical Patch Build 14136 is mandatory; companies on the SaaS version generally do not need to take additional action. That said, even SaaS users should verify that agent-side updates (via ActiveUpdate) are up to date.

The same researcher as last time

CVE-2025-71210 and CVE-2025-71211 were reported by Jacky Hsieh and Charles Yang of CoreCloud Tech, a Taiwanese security firm. The disclosure was responsibly handled through the Zero Day Initiative (ZDI) bug bounty program.

According to SecurityAffairs, Hsieh also reported CVE-2025-54948, which was exploited as a zero-day in August 2025. The same researcher has been discovering different weaknesses in the same management console multiple times over six months.

When a security product's management console repeatedly produces new flaws like this, it can be read as a signal that the entire product architecture needs reexamination. Trend Micro itself acknowledges that "attacks against Apex products are not uncommon" and recommends reviewing remote access policies and perimeter defenses.

Why "security software vulnerabilities" are the worst kind

Vulnerabilities in endpoint security products are more dangerous than vulnerabilities in ordinary software. There are three reasons.

First, the privilege level. Antivirus software needs to inspect every corner of the PC to quarantine suspicious files, so it runs as SYSTEM, the highest privilege account on Windows. The moment it is hijacked, the attacker can do anything on that machine.

Second, the legitimate channel. Agents periodically receive instructions from the management console and act on them. This communication is permitted either by punching holes in the corporate firewall or by placing the management server inside it. Take over the console and you can send arbitrary commands to all PCs through that "legitimate channel".

Third, the defensive machinery can be repurposed as offensive machinery. Concretely, register a malware file name in the detection exclusion list and that malware is no longer detected. Remove a specific directory from scan targets and the attack tools placed there become invisible. Features intended for administrators to use legitimately become attack tools when used by an attacker following the same steps.

In the security industry, people often say "a vulnerability in a security product is worth 10 times an ordinary vulnerability". That is not an exaggeration — it reflects how dramatically the blast radius differs in practice.

What Japanese companies should do

Because Apex One holds the top market share in Japanese enterprise antivirus, this is not someone else's problem for the IT departments of virtually any mid-sized or large company in Japan. Here is a concrete action list.

First, take inventory of your configuration immediately. Is Apex One running on-prem, or have you already migrated to the SaaS version (Trend Vision One)? If on-prem, updating to Critical Patch Build 14136 is the top priority. If your implementation partner SIer is Fujitsu, NEC, Otsuka Shokai, or similar, they have most likely issued guidance — checking with their support desk is the fastest route.

Second, reexamine the internet exposure of the management console. If the console IP is reachable from the public internet to support remote work or branch office management, the risk is on another level. Trend Micro itself officially recommends implementing IP restrictions. Limit access to VPN only, wrap it behind a reverse proxy with authentication, allow only specific IPs, and so on.

Third, look back at past logs around the Apex One management console for anything suspicious. These vulnerabilities are labeled "no confirmed exploitation" for now, but given the August 2025 zero-day, undiscovered intrusions cannot be ruled out. Review management console access logs, file upload history, and agent setting change history — it will make incident response faster if something does turn up.

JPCERT/CC and IPA are likely to issue alerts as well, so it is recommended to also keep an eye on JPCERT/CC and IPA.

Closing thoughts

"Security software has vulnerabilities" is no longer a once-in-a-few-years headline — it is a routine phenomenon. The question is not "whether they appear" but "whether you notice and fix them when they do".

This Apex One disclosure consisted of two CVSS 9.8 management console flaws and twelve agent-side privilege escalation flaws — 14 in total. With a track record of zero-day exploitation, applying the patch while exploitation is still unconfirmed is the option with the lowest expected loss.

IT operations staff should add "verify the Apex One build number" to tonight's task list. If you are on SaaS, breathe easy; if you are on-prem, line it up as a weekend job. That is the level of urgency this disclosure deserves.

References

• ▸ NVD - CVE-2025-71210 (Apex One management console directory traversal RCE)
• ▸ NVD - CVE-2025-71211 (Apex One management console directory traversal RCE)
• ▸ Trend Micro - Security Bulletin: Apex One and Apex One (Mac) - February 2026 (KA-0022458)
• ▸ Trend Micro - Apex One/SEP agent Security Bulletin (KA-0023430)
• ▸ Trend Micro - Apex One Service Pack 1 Critical Patch Build 14136
• ▸ BleepingComputer - Trend Micro warns of critical Apex One code execution flaws
• ▸ SecurityWeek - Trend Micro Patches Critical Apex One Vulnerabilities
• ▸ SecurityAffairs - Trend Micro fixes two critical flaws in Apex One
• ▸ Tenable - CVE-2025-54987, CVE-2025-54948: Trend Micro Apex One Command Injection Zero-Days Exploited In The Wild
• ▸ SecurityAffairs - CISA adds Trend Micro Apex One flaw to its Known Exploited Vulnerabilities catalog
• ▸ CISA - Known Exploited Vulnerabilities Catalog