The U.S. Cybersecurity and Infrastructure Security Agency added a Trend Micro Apex One zero-day to its Known Exploited Vulnerabilities catalog on 21 May, after Trend Micro confirmed the bug is being exploited in the wild. The flaw, CVE-2026-34926, is a directory traversal vulnerability in the on-premise Apex One server. An attacker who already holds admin credentials can use it to modify a key database table and push malicious code out to every endpoint the server manages.

Only the on-premise version is affected. If your business runs Apex One as a Service (Trend Micro’s cloud-hosted option), you are not in scope for this advisory. But plenty of Australian businesses — particularly those with an internal IT team, or with older MSP arrangements set up before SaaS endpoint products were the default — still have an on-prem Apex One server sitting quietly in a comms cupboard, distributing definitions and agent updates. If that server is compromised, every endpoint it manages becomes a delivery channel for the attacker. CISA’s federal deadline to patch is 4 June 2026, and Australian businesses should treat the same date as the line in the sand.

What to do this week. If you do not know whether your business runs on-prem Apex One, ask your IT provider today. If you do, apply the patches Trend Micro released alongside the advisory, rotate the credentials of any account that has touched the Apex One management console, restrict admin access to a small named set of accounts with MFA enforced, and review the server’s outbound traffic for anything unusual over the next fortnight.

Not sure what endpoint protection your business actually runs? That is also a useful signal that it is time for an honest review. All IT can audit your cybersecurity setup and tell you, in plain English, what is actually protecting your endpoints.