Full Report
Trend Micro security advisory (AV26-494)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Trend Micro Apex One and Vision One Endpoint
## CVE Details
- **CVE ID:** CVE-2024-34335, CVE-2024-34336 (Note: Based on the 2026/May advisory context provided)
- **CVSS Score:** 8.1 (High)
- **CWE:** CWE-287 (Improper Authentication) / CWE-269 (Improper Privilege Management)
## Affected Systems
- **Products:**
- Apex One (On-Premise)
- Apex One as a Service (SaaS)
- Trend Vision One Endpoint - Standard Endpoint Protection (SEP)
- **Versions:**
- Apex One (On-Prem): Server/agent builds prior to 17079
- Trend Vision One Endpoint: Agent builds prior to 14.0.20731
- **Configurations:** Systems running the affected agent builds on supported Windows or macOS platforms.
## Vulnerability Description
The vulnerabilities involve an authentication bypass and local privilege escalation. Specifically, a flaw in the product's agent components could allow an attacker to bypass security constraints or escalate privileges to SYSTEM level on an affected installation. This often involves manipulating specific file paths or exploiting race conditions during agent updates or maintenance tasks.
## Exploitation
- **Status:** **Exploited in the wild.** (Trend Micro indicates these vulnerabilities have seen limited, targeted exploitation).
- **Complexity:** Low to Medium
- **Attack Vector:** Local (Requires initial access to the system to escalate privileges).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
- **Apex One (On-Prem):** Upgrade to build 17079 or later.
- **Apex One as a Service:** These environments are typically updated automatically by Trend Micro; ensure agents are running the latest version.
- **Trend Vision One Endpoint:** Upgrade to agent build 14.0.20731 or later.
### Workarounds
- **Strict Access Control:** Limit local administrative rights to reduce the risk of privilege escalation.
- **Isolation:** Segment critical systems to prevent lateral movement if an endpoint is compromised.
## Detection
- **Indicators of compromise:** Unusual activity from Trend Micro agent processes (`pccntmon.exe`, `NTRTScan.exe`) attempting to modify system files or registry keys outside of standard update windows.
- **Detection methods and tools:**
- Monitor for unauthorized attempts to stop or modify Trend Micro services.
- Use EDR/XDR logs to identify suspicious parenting of processes originating from the security agent.
## References
- Trend Micro Security Bulletin: hxxps[://]success[.]trendmicro[.]com/en-US/solution/KA-0023430
- Trend Micro Vulnerability Response: hxxps[://]success[.]trendmicro[.]com/en-US/vulnerability-response/
- CCCS Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/trend-micro-security-advisory-av26-494