CISA Warns of Actively Exploited Trend Micro Apex One Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-34926, a critical vulnerability in Trend Micro Apex One, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in real-world attacks. The flaw, disclosed on May 21, 2026, affects on-premise deployments of the widely used endpoint protection platform. Classified as a directory traversal vulnerability (CWE-23), the flaw allows pre-authenticated local attackers to manipulate server-side files, specifically modifying a key table within the Apex One server. Exploitation enables threat actors to inject malicious code, which is then distributed to connected endpoint agents, effectively turning the security tool into a malware delivery mechanism. While no direct links to ransomware campaigns have been reported, the potential for large-scale network compromise, data exfiltration, or lateral movement makes this a high-risk threat. Given Apex One’s role in enterprise endpoint protection, attackers could abuse trusted update mechanisms to gain widespread access across affected networks. CISA has mandated federal agencies to remediate the vulnerability by June 4, 2026, and urges all organizations to apply vendor-provided patches or mitigations. If fixes are unavailable, discontinuing use of affected systems is recommended until the risk is addressed. Security teams are advised to: - Apply Trend Micro’s latest updates - Restrict local access to Apex One servers - Monitor for unauthorized modifications to configuration files or key tables - Inspect endpoint agents for signs of malicious code deployment - Conduct threat hunting for indicators of compromise (IOCs), such as abnormal agent behavior or unexpected updates The inclusion of CVE-2026-34926 in CISA’s KEV catalog underscores the urgency of remediation, particularly as attackers increasingly target security infrastructure to maximize impact. Organizations using on-premise Apex One deployments should prioritize mitigation to prevent potential widespread compromise.

Trend Micro Patches Critical RCE Flaw in Apex Central Management Console Trend Micro has released a critical security update for its Apex Central on-premise management console, addressing a severe vulnerability (CVE-2025-69258) that could allow unauthenticated attackers to execute arbitrary code with SYSTEM privileges. Apex Central is a centralized web-based platform used by administrators to manage Trend Micro security products, including antivirus, threat detection, and content security tools. The flaw, a LoadLibraryEX vulnerability, enables remote attackers to inject malicious DLLs into the MsgReceiver.exe process—listening on TCP port 20001—without requiring user interaction or prior authentication. According to Trend Micro’s advisory, successful exploitation could grant attackers full control over affected systems under the highest privilege level. Cybersecurity firm Tenable, which discovered and reported the vulnerability, provided technical details and proof-of-concept code, confirming that attackers could trigger the exploit by sending a specially crafted message to the vulnerable process. While exploitation requires specific conditions, such as exposed systems accessible via the internet, Trend Micro has urged immediate patching. The update (Critical Patch Build 7190) also resolves two additional denial-of-service (DoS) vulnerabilities (CVE-2025-69259 and CVE-2025-69260), both exploitable by unauthenticated attackers. This follows a previous remote code execution (RCE) flaw (CVE-2022-26871) patched in 2022, which was actively exploited in the wild. Organizations using Apex Central are advised to apply the latest patch to mitigate potential attacks.

Trend Micro, a cybersecurity firm, fell victim to a sophisticated ransomware attack executed by the Crypto24 gang. The attackers exploited a customized version of RealBlindingEDR, an open-source tool designed to disable endpoint detection and response (EDR) products. The malware specifically targeted Trend Micro’s Trend Vision One security solution by abusing gpscript.exe (a legitimate Group Policy utility) to remotely execute the Trend Vision One uninstaller, effectively neutralizing the company’s defenses. Prior to this, the attackers had already compromised systems to gain administrator-level privileges, allowing them to bypass kernel-level security hooks from 28 vendors, including Trend Micro itself. The attack resulted in data theft and encryption, with the ransomware operators exfiltrating sensitive corporate and customer data before deploying encryption payloads. The breach exposed vulnerabilities in Trend Micro’s own security infrastructure, undermining trust in its ability to protect against privilege escalation and EDR evasion techniques. While the full scope of the data leak remains undisclosed, the incident highlights the growing threat of kernel-level ransomware attacks that exploit legitimate tools to cripple enterprise defenses. The financial and reputational damage includes potential customer churn, regulatory scrutiny, and erosion of market confidence in Trend Micro’s security solutions.

Multiple critical security vulnerabilities in the Trend Micro Apex One enterprise security platform could enable attackers to inject malicious code and escalate privileges on affected systems. The company released emergency patches on June 9, 2025, to address five distinct vulnerabilities tracked under CVE-2025-49154 through CVE-2025-49158, with severity ratings ranging from medium to high on the CVSS 3.0 scale. These vulnerabilities include insecure access control, remote code execution, and privilege escalation, which could lead to significant security breaches if exploited.

Ransomware Attacks Disproportionately Target Windows Systems, Trend Micro Data Reveals A recent analysis by Trend Micro, published on March 6, 2024, highlights the persistent dominance of Windows operating systems as the primary target for ransomware attacks worldwide between 2019 and 2023. The data, compiled in a Statista report, underscores Windows’ overwhelming share of detected ransomware incidents, far outpacing other platforms. The findings reveal that Windows systems accounted for the vast majority of ransomware detections during the five-year period, reflecting both their widespread enterprise and consumer adoption and their attractiveness to threat actors. While the exact percentage breakdown is not specified in the summary, the trend aligns with historical patterns where Windows’ market dominance makes it a lucrative target for cybercriminals. The report does not detail specific attack vectors or regional variations but serves as a broader indicator of ransomware trends across operating systems. The data was accessed on March 18, 2026, and remains a key reference for understanding the evolving threat landscape. The insights provide context for organizations assessing risk exposure and prioritizing security measures for high-target platforms.