A high-severity local privilege escalation vulnerability in Trend Micro Apex One could allow a local attacker to gain elevated system privileges.

This is a time-of-check time-of-use (TOCTOU) vulnerability within the iCore service's signature verification process. An authenticated local attacker must first achieve low-privileged code execution on the target system to exploit this flaw and elevate their privileges.

Successful exploitation of this vulnerability could allow an attacker to bypass standard security restrictions, resulting in unauthorized administrative access to the host. Given the CVSS score of 7.0, this represents a significant risk to endpoint integrity, potentially enabling persistent malware installation or data exfiltration on compromised systems.

Immediate Action: For on-premises Windows, apply Critical Patch Build 14136. For Windows SaaS, apply Security Agent Build 14.0.20315; Mac SaaS users should ensure they are on the latest updates (SaaS 2507 & 2005).

Proactive Monitoring: Monitor system logs for unauthorized service execution or suspicious modifications to agent files that might indicate an attempt to exploit the iCore service.

Compensating Controls: Ensure that local access controls are strictly enforced to minimize the ability for unauthorized users to execute arbitrary code on endpoints where the Apex One agent is deployed.

Public Exploit Available: False

Organizations should prioritize the deployment of the provided patches for their respective Apex One environments. Because this vulnerability facilitates local privilege escalation, mitigating the initial entry point for low-privileged users is essential to reducing the overall risk profile.