CVE-2021-36742

What is Trend Micro Apex One?

Trend Micro Apex One is Trend Micro's enterprise endpoint protection platform. Its agent components are installed on managed Windows workstations and servers, running with elevated (SYSTEM-level) privileges to perform real-time scanning, process inspection, and policy enforcement. Because these agents process input from multiple sources — the management server, local file system operations, and user-mode requests — improper input validation in agent components represents a local privilege escalation risk: an attacker who has obtained a low-privilege local session can send malformed input to the privileged agent process to escalate to SYSTEM.

Overview

CVE-2021-36742 is an improper input validation vulnerability (CWE-20) in the agent components of Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security. A local attacker with standard (low-privilege) access can send crafted input to the privileged agent process, triggering incorrect behavior that results in escalation to SYSTEM-level code execution on the managed endpoint. The vulnerability was disclosed and patched alongside CVE-2021-36741 (server-side unrestricted file upload) in July 2021, with Trend Micro confirming active exploitation of both at the time of the advisory. CISA added both to KEV in November 2021.

Affected Versions

Technical Details

CWE-20 (Improper Input Validation). The Trend Micro Apex One agent runs privileged Windows services. A component that accepts input from a local user-mode process does not adequately validate the structure or content of that input. By sending a crafted request — such as a malformed IPC message, named pipe request, or COM call — a standard user can cause the privileged service to process the input incorrectly, leading to memory corruption, unintended code execution paths, or privilege escalation to SYSTEM.

The AV:L/PR:L (Local, Low Privileges Required) rating confirms this is a local privilege escalation — an attacker who has already gained a standard user session on the managed endpoint can use this to escalate further. In typical exploitation chains, CVE-2021-36741 (file upload) provides code execution on the Apex One server, while CVE-2021-36742 provides SYSTEM-level access on the managed endpoints that receive the server's instructions — together enabling full compromise of both the management infrastructure and the endpoint estate.

Discovery

Trend Micro confirmed active exploitation at the time of the July 2021 advisory. No external researcher was publicly credited with the initial discovery.

Exploitation Context

Trend Micro confirmed active in-the-wild exploitation of CVE-2021-36742 at the time of the July 2021 advisory. CISA added it to the KEV catalog on November 3, 2021. No specific threat actor group has been publicly attributed. As an agent-side LPE, this vulnerability is most valuable as a second-stage privilege escalation after initial code execution has been established on a managed endpoint.

Remediation

1. Apply the Critical Patch from Trend Micro advisory 000287819 (Apex One) or 000287820 (Worry-Free Business Security) to all managed endpoints.
2. Prioritize patching endpoints where sensitive data is processed or where privileged users operate.
3. Also apply the fix for CVE-2021-36741 (server-side file upload), which was co-exploited with this vulnerability.
4. Verify that Apex One agent updates were received on all managed endpoints via the server's agent status dashboard.
5. Review Apex One agent event logs for unexpected privilege escalation events or service crashes that may indicate exploitation attempts.

See Also

This CVE is part of a sustained pattern of Trend Micro Apex One vulnerabilities in CISA KEV. See Attacking the Defenders: The Persistent Pattern of AV and EDR Products in CISA KEV for analysis of 18 KEV entries across Microsoft Defender, Trend Micro Apex One, McAfee, and Sophos.