Trend Micro has disclosed eight security vulnerabilities in its Apex One endpoint protection platform, including two critical-severity flaws that allow unauthenticated remote attackers to upload malicious code and execute commands on affected systems.
The company released a Critical Patch on February 24, 2026, under Solution ID KA-0022458, covering Apex One 2019 (on-premises) on Windows and macOS platforms.
Trend Micro Apex One Vulnerabilities
Trend Micro’s February 2026 security bulletin identifies eight CVEs, CVE-2025-71210 through CVE-2025-71217, with CVSS 3.1 scores ranging from 7.2 to 9.8.
The two most severe flaws, rated Critical (CVSS 9.8), reside in the Apex One management console and exploit directory traversal weaknesses to allow remote code execution without authentication.
The remaining six vulnerabilities are rated High (CVSS 7.2–7.8) and enable local privilege escalation on both Windows and macOS systems.
| CVE ID | Title | CVSS | Weakness | Platform | Impact |
|---|---|---|---|---|---|
| CVE-2025-71210 | Console Directory Traversal RCE | 9.8 | CWE-22 | Windows | Remote code execution via malicious upload |
| CVE-2025-71211 | Console Directory Traversal RCE | 9.8 | CWE-22 | Windows | Remote code execution; affects different executable than CVE-2025-71210 |
| CVE-2025-71212 | Scan Engine Link Following LPE | 7.8 | CWE-59 | Windows | Local privilege escalation via scan engine |
| CVE-2025-71213 | Origin Validation Error LPE | 7.8 | CWE-346 | Windows | Local privilege escalation via origin validation flaw |
| CVE-2025-71214 | Agent iCore Service Origin Validation LPE | 7.2 | CWE-346 | macOS | Local privilege escalation in iCore service |
| CVE-2025-71215 | Agent iCore TOCTOU Signature Verification LPE | 7.8 | CWE-367 | macOS | Local privilege escalation via time-of-check/time-of-use race condition |
| CVE-2025-71216 | Agent Cache Mechanism TOCTOU LPE | 7.8 | CWE-367 | macOS | Local privilege escalation via cache mechanism race condition |
| CVE-2025-71217 | Agent Self-Protection Origin Validation LPE | 7.8 | CWE-346 | macOS | Local privilege escalation in self-protection module |
CVE-2025-71210 and CVE-2025-71211 are the most dangerous flaws in this bulletin.
Both exploit improper handling of directory traversal sequences in the Apex One management console, enabling a remote, non-authenticated attacker to send a specially crafted HTTP request to upload and execute arbitrary code.
While the CVEs differ in the specific executable they target, both carry identical attack vectors: network-accessible, no authentication required, no user interaction needed.
The four Windows local privilege escalation flaws, CVE-2025-71212 and CVE-2025-71213, require low-privileged code execution access before exploitation.
The four macOS vulnerabilities (CVE-2025-71214 through CVE-2025-71217) are listed as informational only, as they were already patched via ActiveUpdate and SaaS releases in mid-to-late 2025.
Affected Products & Fixes
| Product | Affected Version | Platform | Fix |
|---|---|---|---|
| Apex One | 2019 (On-premises) | Windows | CP Build 14136 |
| Apex One as a Service | SaaS | Windows | Security Agent Build 14.0.20315 |
| Trend Vision One Endpoint – Standard Endpoint Protection | SaaS | Windows | Security Agent Build 14.0.20315 |
| Apex One (Mac) | All versions | macOS | Already mitigated via SaaS 2507 & 2005 Yearly Release |
Mitigation Steps
- Apply CP Build 14136 for Apex One 2019 (on-premises) immediately from Trend Micro’s Download Center
- Upgrade Apex One as a Service agents to Security Agent Build 14.0.20315
- Restrict external IP access to the Apex One management console to minimize exposure for CVE-2025-71210 and CVE-2025-71211
- Enforce source IP restrictions on the management console if it is externally accessible
- Review all remote access policies to critical security infrastructure and ensure perimeter security is current
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
