On May 21, CISA added a directory traversal flaw in Trend Micro Apex One (on-premise) to its Known Exploited Vulnerabilities catalog — meaning attackers are already using it in real-world attacks. The ugly twist: Apex One is endpoint security software. The bug lets an attacker modify a key table on the management server and then push malicious code down to every Apex One agent installed on workstations and servers. In other words, the antivirus you bought to defend the business can be turned into the delivery truck for malware.
What was added to the CISA list and why it matters
CISA's May 21 advisory added two actively-exploited vulnerabilities: CVE-2025-34291 in Langflow and CVE-2026-34926, a Trend Micro Apex One (on-premise) directory traversal vulnerability. The Apex One bug is the one small businesses need to focus on. Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations, and CISA's required action is to apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
The federal remediation deadline is June 4, 2026 . That deadline is technically for federal agencies, but CISA's KEV list is the industry's universal "patch this now" signal. If your provider isn't watching that list and acting on it inside the same window, that's a process gap — not a budget question. A well-run shop will already have this scheduled. You can see the full scope of what proactive vendor monitoring looks like in York Computer's managed IT services lineup.
Why this one is worse than a normal patch alert
Most KEV entries are about an attacker getting into a system. This one is about an attacker getting into your defensive system and using it against you.
Apex One is endpoint protection — the agent that's supposed to detect and stop malware on every PC and server it's installed on. The management server pushes updates, policies, and scan instructions down to those agents. Abuse the directory traversal flaw, modify the right file on the server, and the next "update" the agents pull down is whatever the attacker wants it to be. That's a one-to-many ransomware deployment path with the trust relationship built in.
The small-business takeaway: security tools are not set-and-forget. They are high-value targets precisely because they have privileged access to every endpoint they manage.
What your managed IT provider should be doing this week
If you have an MSP or internal IT person, here is the checklist they should be working through right now:
1. Confirm whether you run Trend Micro Apex One on-premise. The hosted SaaS version (Apex One as a Service) is handled by Trend Micro; the on-premise version is on you. 2. Apply Trend Micro's patch referenced in the vendor advisory (KA-0023430). CISA added the critical Trend Micro Apex One vulnerability to its Known Exploited Vulnerabilities catalog, warning organizations — meaning patch windows should be measured in days, not the usual monthly cycle. 3. Restrict management-console access to a specific admin VLAN or jump host. The flaw requires a pre-authenticated local attacker, so reducing who and what can even reach the server cuts the blast radius. 4. Review whether any other security tools you run (EDR, RMM, backup agents) had KEV listings in the last 30 days. The same logic applies.
The bigger pattern: security software is now a top target
This isn't a one-off. In the last six weeks the KEV list has picked up exploited flaws in ConnectWise ScreenConnect (a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems, known to be used in ransomware campaigns) and SimpleHelp (a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions, which can be used to escalate privileges to the server admin role) . Both ScreenConnect and SimpleHelp are remote-management tools — the exact category of software MSPs and internal IT teams use to reach client and employee machines.
The pattern: attackers are going after the tools that talk to everything. Your antivirus, your remote-support tool, your backup console. Compromising one of those is worth more than compromising a single workstation, because it gives them a clean path to all of them. Ask your provider: what's our patch cadence on the security stack itself? If the answer is vague, that's the answer.
What York Businesses Should Do
For York County small businesses running on-prem Trend Micro Apex One — common in healthcare offices, manufacturers, and law firms with compliance reasons to keep tools in-house — get the May 2026 patch applied before the June 4 federal deadline. If you're not sure whether you're on the on-premise or SaaS version, that question alone is worth a call to York Computer this week.