HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Active Exploits of FortiClient EMS and Trend Micro Apex One Flaws Deliver Infostealer to Enterprises

Researchers have confirmed active exploitation of a remote‑code execution bug in FortiClient EMS and a directory‑traversal flaw (CVE‑2026‑34926) in Trend Micro Apex One. Both vulnerabilities allow threat actors to bypass endpoint defenses and steal credentials, making any organization that relies on these products a potential target.

LiveThreat™ Intelligence · 📅 May 31, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
helpnetsecurity.com

Active Exploits of FortiClient EMS and Trend Micro Apex One Flaws Deliver Infostealer to Enterprises

What Happened – Researchers observed a malicious infostealer being delivered through a remote code execution flaw in FortiClient EMS, while a separate directory‑traversal vulnerability (CVE‑2026‑34926) in Trend Micro Apex One is being actively exploited in zero‑day attacks. Both flaws allow threat actors to bypass endpoint protection and exfiltrate credentials, browser data, and other sensitive files.

Why It Matters for TPRM

  • Critical security‑product vulnerabilities can become a direct supply‑chain risk for any third‑party relying on these solutions.
  • Exploitation of “security‑as‑a‑service” tools undermines the protective controls that many organizations count on for vendor risk mitigation.
  • Early detection of active exploits enables faster remediation and reduces the window of exposure for downstream partners.

Who Is Affected – Enterprises across all verticals that deploy FortiClient EMS or Trend Micro Apex One for endpoint protection, including finance, healthcare, SaaS providers, and managed service providers.

Recommended Actions

  • Verify that the latest patches for FortiClient EMS (released May 2026) and Trend Micro Apex One (CVE‑2026‑34926) are applied across all managed assets.
  • Conduct an immediate inventory of endpoints running these agents and isolate any unpatched systems.
  • Review third‑party risk assessments to ensure that security‑product dependencies are included in control testing.
  • Monitor CISA and vendor advisories for any emerging indicators of compromise related to these exploits.

Technical Notes – FortiClient EMS flaw enables remote code execution via unauthenticated API calls, allowing an attacker to drop a modular infostealer that harvests credentials, browser histories, and crypto wallets. Trend Micro Apex One’s CVE‑2026‑34926 is a relative‑path directory traversal that lets an attacker read arbitrary files and execute payloads, leading to full system compromise. Both vulnerabilities are classified as high‑severity (CVSS ≥ 8.5) and have been observed in the wild. Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/05/31/week-in-review-infostealer-dropped-via-forticlient-ems-flaw-exploited-trend-micro-apex-one-flaw/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →