Back

Critical Vulnerabilities in Trend Micro Apex One and Langflow Under Active Attack

Severity: High (Score: 72.9)

Sources: www.cve.org, Cybersecuritynews, Hkcert, cve.mitre.org, Bleepingcomputer

Published: 2026-05-22 · Updated: 2026-05-22

Keywords: vulnerabilities, trend, micro, apex, langflow, multiple, remote

Severity indicators: vulnerabilities, ot

Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about active exploitation of vulnerabilities in Trend Micro Apex One and Langflow. The vulnerabilities include CVE-2026-34926 in Apex One, which allows local attackers to execute remote code, and CVE-2025-34291 in Langflow, enabling account takeover and remote code execution. Both products have available patches, with Langflow's latest version being 1.9.3. CISA has urged administrators to apply these updates immediately due to the ongoing attacks. The Apex One vulnerability has been confirmed to be exploited in the wild, with a CVSS score of 6.7, while Langflow's vulnerability has a critical rating of 9.4. No indicators of compromise (IOCs) have been provided by CISA or the vendors. The situation emphasizes the urgency for organizations to secure their systems against these threats. Key Points: • CISA warns of active exploitation of vulnerabilities in Trend Micro Apex One and Langflow. • Langflow's CVE-2025-34291 allows account takeover and remote code execution. • Admins are urged to upgrade to Langflow v1.9.3 and apply patches for Apex One immediately.

Detailed Analysis

**Impact** Organizations using Trend Micro Apex One on-premise and Langflow AI programming tool users are affected globally. The vulnerabilities enable attackers to compromise endpoint security systems and perform account takeover and remote code execution, risking operational disruption and potential data manipulation. The scope includes installations running Apex One prior to the latest patches and Langflow versions up to 1.6.9. No specific sector or geographic concentration was reported. **Technical Details** Exploited vulnerabilities include a directory traversal flaw in Apex One Server (CVE-2026-34926, CVSS 6.7, medium risk) allowing local attackers to inject malicious code distributed to agents, and a chained critical vulnerability in Langflow (CVE-2025-34291, CVSS 9.4) enabling account takeover and remote code execution. Attackers require local access for Apex One exploitation; Langflow attacks involve remote compromise. No malware or specific tools were detailed, and no indicators of compromise (IOCs) were provided. **Recommended Response** Apply the latest patches immediately: upgrade Langflow to version 1.9.3 and deploy Trend Micro Apex One updates released on 2026-05-21 addressing CVE-2026-34926 and seven other high-risk flaws. Monitor systems for unusual local activity and unauthorized code deployment, though no specific IOCs are available. Harden access controls to limit local access and review endpoint security configurations to prevent unauthorized modifications.

Source articles (13)

  • Vulnerabilities in Trend Micro Apex One and Langflow under attack — Heise.De · 2026-05-22
    The US cybersecurity agency CISA is warning of currently observed attacks on the anti-malware solution Trend Micro Apex One and the AI programming tool Langflow. Updates to close the attacked security…
  • Currently, as of the time of reporting, version 1.9.3 is available — github.com · 2026-05-22
    This release includes critical security fixes . We strongly recommend upgrading to v1.9.3 immediately. Full Changelog : v1.9.2...v1.9.3 There was an error while loading. Please reload this page . Ther…
  • CVE-2025-34291 — www.cve.org · 2026-05-22
  • CVE-2026-34927 — cve.mitre.org · 2026-05-22
  • CVE-2026-34929 — cve.mitre.org · 2026-05-22
  • CVE-2026-34930 — cve.mitre.org · 2026-05-22
  • CVE-2026-34928 — cve.mitre.org · 2026-05-22
  • CVE-2026-34926 — cve.mitre.org · 2026-05-22
  • CVE-2026-34926 — nvd.nist.gov · 2026-05-22
    A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents…
  • Trend Micro warns of Apex One zero — Bleepingcomputer · 2026-05-22
    Japanese cybersecurity software company Trend Micro has addressed an Apex One zero-day vulnerability exploited in attacks targeting Windows systems. Apex One is Trend Micro's enterprise-grade endpoint…
  • CISA Warns of Trend Micro Apex One Vulnerability Exploited in Attacks — Cybersecuritynews · 2026-05-22
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog, warning organizations…
  • CISA Warns Trend Micro Apex One Vulnerability Is Being Exploited in Attacks — Gbhackers · 2026-05-22
    CISA has added a newly disclosed vulnerability in Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog, warning that the flaw is actively being exploited in real-world attacks. Th…
  • Trend Micro Apex One Multiple Vulnerabilities — Hkcert · 2026-05-22
    Multiple vulnerabilities were identified in Trend Micro Apex One. A remote attacker could exploit some of these vulnerabilities to trigger elevation of privilege, remote code execution and data manipu…

Timeline

  • 2025-12-05 — CVE-2025-34291 published: Langflow vulnerability allows account takeover and remote code execution, affecting versions up to 1.6.9.
  • 2026-05-18 — First public PoC for CVE-2025-34291: Proof of concept for Langflow vulnerability was made public, increasing exploitation risk.
  • 2026-05-21 — CVE-2026-34926 published: Critical vulnerability in Trend Micro Apex One allows local attackers to execute remote code.
  • 2026-05-21 — CVE-2026-34926 added to CISA KEV: CISA added the Apex One vulnerability to its Known Exploited Vulnerabilities catalog due to active exploitation.
  • 2026-05-22 — CISA issues urgent warning: CISA warns organizations to apply patches for both Langflow and Apex One due to ongoing attacks.

CVEs

  • CVE-2022-40139
  • CVE-2023-41179
  • CVE-2025-34291
  • CVE-2025-54948
  • CVE-2026-34926

Related entities

  • Malware (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Brazil (Country)
  • CWE-22 - Path Traversal (Cwe)
  • CWE-269 - Improper Privilege Management (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • german.it (Domain)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Apex One (Platform)
  • FreePBX (Platform)
  • NF-e (Platform)
  • Trend Micro Apex One (Platform)
  • Windows (Platform)
  • Art-template (Tool)
  • Langflow Vulnerability (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed