Local Privilege Escalation in TrendAI Vision One Security Agent (CVE‑2026‑45206) Threatens Enterprise Endpoint Protection
What It Is – TrendAI’s Vision One Security Agent contains an origin‑validation flaw in the Apex One NT Listener service that permits a low‑privileged attacker to execute arbitrary code as SYSTEM. The vulnerability is tracked as CVE‑2026‑45206 and carries a CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Exploitability – The bug is local‑only; an attacker must already have a foothold on the endpoint to exploit it. No public exploit code has been released, but the low attack complexity and high impact make it a prime target for post‑exploitation toolkits.
Affected Products – TrendAI Vision One Security Agent (all versions prior to the May 2026 patch).
TPRM Impact – A compromised endpoint can become a launchpad for lateral movement across a supplier’s network, jeopardizing the confidentiality, integrity, and availability of downstream customers’ data and services.
Recommended Actions –
- Verify patch status on all Vision One agents; apply the May 2026 update immediately.
- Enforce strict least‑privilege policies for any processes that may run the agent.
- Conduct a rapid inventory of endpoints that have not yet received the patch and prioritize remediation.
- Review EDR/EDM logs for anomalous SYSTEM‑level activity originating from the Apex One NT Listener.
- Update third‑party risk questionnaires to include this CVE and require vendors to demonstrate timely patching.