CVE-2025-71215
Privilege Escalation in Trend Micro Apex One macOS Agent
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: Trend Micro, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trend_micro | apex_one | to 2025 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a time-of-check time-of-use (TOCTOU) flaw in the Trend Micro Apex One (mac) agent's iCore service signature verification process.
It occurs because the service improperly checks file paths during signature verification, which can be exploited by a local attacker who already has the ability to execute low-privileged code on the system.
By exploiting this flaw, the attacker can escalate their privileges and execute arbitrary code with root-level permissions.
How can this vulnerability impact me? :
If exploited, this vulnerability allows a local attacker to escalate their privileges from a low-privileged user to root, effectively gaining full control over the affected system.
This can lead to unauthorized execution of arbitrary code with the highest system privileges, potentially compromising system integrity, confidentiality, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a local privilege escalation in the Trend Micro Apex One (mac) agent iCore service related to signature verification. Detection would focus on identifying the presence and version of the vulnerable Apex One agent on the system.
You can check for the presence of the Trend Micro Apex One agent and its version by running commands such as:
- On macOS, use: `ps aux | grep iCore` to see if the iCore service is running.
- Check installed packages or applications for Trend Micro Apex One and verify their version to confirm if they are prior to the fixed update.
- Look for unusual privilege escalations or suspicious processes spawned by low-privileged users that could indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately apply the security updates provided by Trend Micro. The issue was addressed via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).
Ensure that all installations of Trend Micro Apex One agents are updated to the latest version to prevent exploitation.
Additionally, restrict the ability of unprivileged users to execute arbitrary code on the system, as exploitation requires initial low-privileged code execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.