Active Exploits of FortiClient EMS and Trend Micro Apex One Flaws Deliver Infostealer to Enterprises
What Happened – Researchers observed a malicious infostealer being delivered through a remote code execution flaw in FortiClient EMS, while a separate directory‑traversal vulnerability (CVE‑2026‑34926) in Trend Micro Apex One is being actively exploited in zero‑day attacks. Both flaws allow threat actors to bypass endpoint protection and exfiltrate credentials, browser data, and other sensitive files.
Why It Matters for TPRM –
- Critical security‑product vulnerabilities can become a direct supply‑chain risk for any third‑party relying on these solutions.
- Exploitation of “security‑as‑a‑service” tools undermines the protective controls that many organizations count on for vendor risk mitigation.
- Early detection of active exploits enables faster remediation and reduces the window of exposure for downstream partners.
Who Is Affected – Enterprises across all verticals that deploy FortiClient EMS or Trend Micro Apex One for endpoint protection, including finance, healthcare, SaaS providers, and managed service providers.
Recommended Actions –
- Verify that the latest patches for FortiClient EMS (released May 2026) and Trend Micro Apex One (CVE‑2026‑34926) are applied across all managed assets.
- Conduct an immediate inventory of endpoints running these agents and isolate any unpatched systems.
- Review third‑party risk assessments to ensure that security‑product dependencies are included in control testing.
- Monitor CISA and vendor advisories for any emerging indicators of compromise related to these exploits.
Technical Notes – FortiClient EMS flaw enables remote code execution via unauthenticated API calls, allowing an attacker to drop a modular infostealer that harvests credentials, browser histories, and crypto wallets. Trend Micro Apex One’s CVE‑2026‑34926 is a relative‑path directory traversal that lets an attacker read arbitrary files and execute payloads, leading to full system compromise. Both vulnerabilities are classified as high‑severity (CVSS ≥ 8.5) and have been observed in the wild. Source: Help Net Security