PatchSiren cyber security CVE debrief
CVE-2025-71212 Trend Micro, Inc. CVE debrief
CVE-2025-71212 is a high-severity local privilege escalation affecting the Trend Micro Apex One scan engine. The supplied NVD record states that a local attacker could escalate privileges, but only after first obtaining the ability to execute low-privileged code on the target system. That prerequisite makes the issue less directly reachable than remote bugs, but it is still important on systems where untrusted local code may run or where attackers can establish an initial foothold.
- Vendor
- Trend Micro, Inc.
- Product
- TrendAI Apex One
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Trend Micro Apex One administrators, endpoint security teams, SOC analysts, and platform owners responsible for systems where low-privileged local code may execute. Multi-user endpoints, admin workstations, and any environment that runs untrusted software should treat this as a priority review item.
Technical summary
NVD describes the flaw as a link following vulnerability in the Apex One scan engine, with CWE-59 listed as the weakness class. The CVSS vector provided is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a local attack path that still has high impact once triggered. The corpus does not provide exploit details or a patch version, so the safe takeaway is that the scan engine’s handling of filesystem links should be considered vulnerable until Trend Micro guidance is applied.
Defensive priority
High. The attack requires local low-privileged code execution, but the impact is full privilege escalation on affected installations, so environments that permit local execution should treat remediation as urgent.
Recommended defensive actions
- Review Trend Micro advisory KA-0022458 for the vendor’s remediation guidance and apply the recommended fix or mitigation for Apex One.
- Track ZDI-26-138 for independent disclosure context and confirm whether your deployment is covered by the affected conditions described by Trend Micro.
- Reduce opportunities for low-privileged code execution on Apex One hosts by tightening software allowlisting, user permissions, and endpoint hardening controls.
- Prioritize systems where untrusted users, scripts, or third-party tools can run locally, since the vulnerability requires an initial low-privileged foothold.
- Validate that endpoint security monitoring is alerting on suspicious local privilege escalation behavior and unusual filesystem link usage on Apex One systems.
Evidence notes
The supplied NVD metadata states: a link following vulnerability in the Trend Micro Apex One scan engine could allow a local attacker to escalate privileges, and the attacker must first obtain the ability to execute low-privileged code on the target system. NVD also provides the CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and lists CWE-59 as a secondary weakness. The reference set includes the Trend Micro advisory KA-0022458 and ZDI-26-138. The source item’s vendor field is marked unknown, so Trend Micro/Apex One attribution is based on the CVE description and official references rather than a populated CPE.
Official resources
Publicly disclosed and published in the supplied record on 2026-05-21, with official references from Trend Micro and the Zero Day Initiative. No KEV listing was provided in the corpus.