// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE INT-17DTG 0600Z
ColdRecon / Competitor Intel / Trend Micro
Endpoint Security Vendor

Trend Micro

17 PUBLIC SECURITY EVENTS ON FILE · 2023-06-01 — 2026-05-18

Publicly-known security events concerning Trend Micro — CVEs, advisories, and incidents drawn from open-source reporting. Every item links to its original source.

Category

What Trend Micro sells

EDR is agent-based endpoint tooling that monitors process/file/network activity, detects malicious behavior, and enables response. It is detection-led by design: it observes and acts after code executes. Its efficacy depends on recognizing a threat, so novel/zero-day techniques are a window of exposure until detected.

SOURCE · ColdRecon Reference

Trend Micro competes in the endpoint-security category. ColdRecon publishes only the factual public record below — no competitive analysis or positioning.

The Public Record

Recent security events

On file: 13 vuln disclosures · 1 incident · 3 research pocs.

2026-05-18
vuln disclosure
Pwn2Own Berlin 2024: 47 Zero-Days Disclosed Across Security ProductsPwn2Own Berlin 2024
At Pwn2Own Berlin 2024, security researchers disclosed 47 previously unknown zero-day vulnerabilities in various endpoint security and enterprise products. The event awarded $1.3 million in bounties, highlighting weaknesses in widely used security tools.
2026-02-27
vuln disclosure
Trend Micro Discloses Critical Apex One Vulnerabilities Allowing Remote Code ExecutionCVE-2025-71210
Trend Micro disclosed eight vulnerabilities in Apex One, including two critical unauthenticated remote code execution flaws in the management console. The vulnerabilities were patched in February 2026. The critical flaws allow attackers to upload and execute arbitrary code via directory traversal.
2025-08-07
incident
HeartCrypt Packer-as-a-Service Used by Multiple Ransomware Groups to Disable Endpoint SecurityHeartCrypt
Sophos X-Ops uncovered HeartCrypt, a packer-as-a-service derived from EDRKillShifter, being used by at least eight ransomware groups to disable EDR and AV products before deploying ransomware. The tool injects malicious code into signed executables and uses BYOVD to load a kernel driver that terminates security processes. This represents a significant escalation in ransomware tactics through cybercrime-as-a-service.
2025-08-05
vuln disclosure
Trend Micro Apex One Management Console Pre-Auth RCE (CVE-2025-54987)CVE-2025-54987
CVE-2025-54987 is a critical pre-authentication remote code execution vulnerability in the Trend Micro Apex One on-premises management console. It allows unauthenticated attackers to upload malicious code and execute arbitrary OS commands via OS command injection. The flaw is similar to CVE-2025-54948 but affects a different CPU architecture.
2025-06-17
vuln disclosure
Trend Micro Deep Security Agent 20.0 Link Following Denial of Service VulnerabilityCVE-2025-30642
CVE-2025-30642 is a link following vulnerability in Trend Micro Deep Security Agent 20.0 that allows a local low-privileged attacker to cause a denial of service on Windows systems. The flaw stems from improper handling of symbolic links during privileged file operations, enabling service disruption without user interaction. This vulnerability affects agent availability and security monitoring capabilities.
2025-06-12
research poc
MoveEDR: PowerShell script to disable EDRs by moving files at boot via PendingFileRenameOperationsMoveEDR
A PowerShell script called MoveEDR was published that leverages the Windows PendingFileRenameOperations registry key to move or delete EDR files before they start, effectively disabling endpoint detection. It requires local administrator privileges and targets multiple EDR products, including CrowdStrike, Elastic, McAfee, Trellix, Trend Micro, and Windows Defender. The technique is a proof-of-concept demonstrating a built-in Windows mechanism to bypass tamper protection.
2024-11-18
vuln disclosure
Trend Micro Deep Security Agent 20 Command Injection VulnerabilityCVE-2024-51503
A command injection vulnerability in Trend Micro Deep Security Agent version 20 allows authenticated attackers with low privileges to escalate privileges and execute arbitrary code. In domain environments, attackers with domain user privileges may remotely inject commands to other machines. The flaw resides in the manual scan command handling.
2024-10-22
vuln disclosure
Trend Micro Deep Security Agent Improper Access Control Local Privilege EscalationCVE-2024-48903
An improper access control vulnerability (CWE-269) in Trend Micro Deep Security Agent 20 allows a local attacker with low-privileged code execution to escalate privileges. The flaw impacts confidentiality, integrity, and availability with a CVSS score of 7.8. A patch is available in version 20.0.1 or later.
2024-07-14
vuln disclosure
Trend Micro Apex One RCE Enables Endpoint Security BypassTrend Micro Apex One RCE
Two critical vulnerabilities in Trend Micro Apex One allow remote code execution, leading to complete endpoint security bypass. The flaws enable attackers to disable the EDR agent and evade detection. This poses a significant risk to organizations relying on Apex One for endpoint protection.
2024-06-10
vuln disclosure
Trend Micro Apex One Security Agent Information Disclosure VulnerabilityCVE-2024-36307
A vulnerability in Trend Micro Apex One Security Agent allows local attackers to disclose sensitive information. The flaw exists in the VsApiNT module and can be triggered by creating a mount point, leading to file content disclosure in the context of SYSTEM. Trend Micro has released a patch to address this issue.
2024-06-10
vuln disclosure
Trend Micro Apex One Security Agent TOCTOU Race Condition Privilege EscalationCVE-2024-36304
A time-of-check time-of-use (TOCTOU) race condition in the Trend Micro Apex One Security Agent's NT RealTime Scan service allows local low-privileged attackers to escalate privileges to SYSTEM. The vulnerability arises from improper locking during object operations. Trend Micro has released a patch to address the issue.
2024-01-23
vuln disclosure
Trend Micro Apex One Security Agent Updater Link Following Local Privilege Escalation VulnerabilityCVE-2023-52094
A local privilege escalation vulnerability exists in the Trend Micro Apex One Security Agent updater due to improper link resolution. An attacker with low-privileged code execution can create a junction to abuse the updater and delete an arbitrary folder, leading to SYSTEM-level code execution. Trend Micro has released a patch to address this issue.
2023-09-13
vuln disclosure
ALPC Port Blocking Vulnerability Affects Multiple Windows EDR AgentsCVE-2023-3280
A denial-of-service vulnerability in multiple Windows EDR products allows a low-privileged user to permanently disable the agent after a reboot by preemptively registering an ALPC port name used by the EDR. The affected EDRs fail to handle the case where the port is already in use, causing user-mode components to crash or become non-functional. Kernel components remain running but lose detection/blocking capabilities in most cases.
2023-08-11
vuln disclosure
Researchers Uncover Remote File Deletion Vulnerabilities in Multiple EDR ProductsEDR Remote File Deletion via Malicious Signature Injection
SafeBreach Labs researchers discovered vulnerabilities in several EDR products that allow remote deletion of critical files and databases without authentication. By inserting minimal malicious signatures into files like web server logs, attackers can trick EDRs into automatically deleting the file, leading to data loss and denial of service. The research was presented at Black Hat USA 2023.
2023-06-01
research poc
New malware tool claims to terminate multiple EDR and antivirus agentsEDR-Terminator
A video and Reddit post surfaced on May 28, 2023, showing an executable that allegedly disables tamper protection and terminates the on-premise agents of numerous endpoint security products. The tool claims to work against vendors including CrowdStrike, SentinelOne, Carbon Black, and Windows Defender. ThreatLocker notes that its application allowlisting would block such an unknown executable from running.
Every event on this page is a record in ColdRecon's canonical set, drawn from public reporting and linked to its source above. ColdRecon monitors open-source signal only; it publishes no non-public or customer information.

Trend Micro ships. Your prospect reads the headline. Do you?

ColdRecon turns this signal into one short daily brief, written from the seller's seat — what changed, why it matters to your deals, how to position. Request clearance and the first lands tomorrow at 0600.

Request Clearance →