CVE-2026-34926

Trend Micro Apex One Directory Traversal Exploitation (CVE-2026-34926)

Initial Access Defense Evasion Credential Access Last updated:

Detects exploitation attempts targeting CVE-2026-34926, a directory traversal vulnerability (CWE-23) in Trend Micro Apex One (On-Premise). This KEV-listed vulnerability allows unauthenticated or low-privileged attackers to traverse directory boundaries via crafted HTTP requests to the Apex One management server, potentially enabling arbitrary file read or write operations. Active exploitation has been observed in the wild.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Trend Micro
Product
Apex One

Weakness (CWE)

CWE-23

Timeline

Disclosed
May 21, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-34926 Trend Micro Apex One Directory Traversal Exploitation (CVE-2026-34926)?

Trend Micro Apex One Directory Traversal Exploitation (CVE-2026-34926) (CVE-2026-34926) maps to the Initial Access and Defense Evasion and Credential Access tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Trend Micro Apex One Directory Traversal Exploitation (CVE-2026-34926), covering the data sources and telemetry it touches: Web Application Firewall logs, IIS/W3C logs, Microsoft Defender for Endpoint network events, Azure Diagnostics. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Defense Evasion Credential Access
Microsoft Sentinel / Defender
kusto 
union DeviceNetworkEvents, W3CIISlogs, AzureDiagnostics
| where TimeGenerated > ago(7d)
| where (
    (RequestUri has "..%2F" or RequestUri has "..%5C" or RequestUri has "%2e%2e%2f" or RequestUri has "%2e%2e/" or RequestUri has "....//" or RequestUri has "..%252F")
    and (RequestUri contains "/officescan" or RequestUri contains "/apex_one" or RequestUri contains "/OfficeScan" or RequestUri contains "/widget" or RequestUri contains "/ServerMigration")
)
| extend TraversalDepth = countof(RequestUri, "..")
| where TraversalDepth >= 2
| project TimeGenerated, RemoteIP, RequestUri, HttpMethod, HttpStatusCode, UserAgent, TraversalDepth
| order by TimeGenerated desc

Detects HTTP requests to Trend Micro Apex One endpoints containing directory traversal sequences. Targets known Apex One URL paths with double-encoded and plain traversal patterns.

critical severity high confidence

Data Sources

Web Application Firewall logs IIS/W3C logs Microsoft Defender for Endpoint network events Azure Diagnostics

Required Tables

DeviceNetworkEvents W3CIISlogs AzureDiagnostics

False Positives

  • Security scanning tools (Qualys, Nessus, Tenable) performing authenticated vulnerability assessments against Apex One
  • Legitimate URL encoding in application traffic that coincidentally includes dot-dot sequences
  • Penetration testing engagements with prior authorization targeting the Apex One management console

Sigma rule & cross-platform mapping

The detection logic for Trend Micro Apex One Directory Traversal Exploitation (CVE-2026-34926) (CVE-2026-34926) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-34926 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-34926

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Basic Directory Traversal Probe Against Apex One CGI Endpoint

    Expected signal: IIS access log entry with traversal sequence in cs-uri-query field, HTTP response code indicating success (200) or path not found (404). Network connection event from test host to Apex One server on port 4343.

  2. Test 2Double-Encoded Traversal Bypass Attempt

    Expected signal: Multiple IIS access log entries with different traversal encoding variants. Possible WAF alert if WAF is deployed. Network events showing rapid sequential HTTP requests to Apex One from the same source IP.

  3. Test 3Windows Apex One Traversal Simulation via PowerShell

    Expected signal: Windows Security Event Log entry for PowerShell execution (Event ID 4688 or Sysmon Event ID 1). Network connection events from the Windows test host to Apex One server port 4343. IIS access log entries on Apex One server matching traversal patterns.

Unlock Pro Content

Get the full detection package for CVE-2026-34926 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0005Defense EvasionTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1005Data from Local SystemT1505.003Web Shell

Same Tactic: Initial Access

Popular Detections