Your Security Tools Are the New Attack Surface

When Your EDR Becomes the Delivery Mechanism

CVE-2026-34926 is a relative directory path traversal vulnerability in Trend Micro Apex One. CISA added it to the Known Exploited Vulnerabilities catalog this week, with a federal patching deadline of June 4.

Here is the part that matters operationally: this vulnerability lets an attacker modify a key table on the Apex One server and inject malicious code that gets pushed to every endpoint agent under management. Your EDR - the tool specifically deployed to detect and block malware - becomes the distribution channel.

The attack requires administrative credentials to the Apex One server, which sounds like a high bar until you remember that credential attacks are running at scale right now. An attacker who compromises one admin account can silently push malicious payloads to the entire fleet from a trusted, signed, internal source.

Trend Micro confirmed active exploitation in the wild. Seven additional vulnerabilities affecting Apex One agents were also disclosed in the same advisory, though only CVE-2026-34926 has confirmed exploitation.

What to do: Patch the on-prem Apex One server immediately. Audit who has admin access to the console. If you cannot patch immediately, restrict remote access to the Apex One management interface.

The Config File Is the Vulnerability

CVE-2026-5426 in KnowledgeDeliver LMS (CVSS 7.5) is a different kind of problem - and a more instructive one.

Digital Knowledge shipped deployments with a standardized web.config file containing hardcoded ASP.NET machineKey values. Those keys are used by the .NET framework to encrypt and sign data. When the key is the same across independent installations, anyone who knows the value can craft a malicious ViewState payload and send it via HTTP. The server deserializes it. You get remote code execution.

Mandiant's investigation found attackers used this to deploy Godzilla web shells (also tracked as BLUEBEAM) directly in memory. From there, they modified application JavaScript to display fake security alerts prompting users to install a fake plugin. The platform users trusted as their learning environment was serving malware.

The lesson for defenders: if you run any ASP.NET application, audit your web.config files for machineKey values that match publicly known defaults or are shared across environments.

SharePoint RCE: Authenticated Is Not Safe

CVE-2026-45659 is a deserialization vulnerability in Microsoft SharePoint Server, carrying a CVSS of 8.8. Any authenticated user with Site Member permissions or higher can trigger remote code execution over the network. No elevated privileges required.

"Authenticated" sounds reassuring until you consider the average enterprise has hundreds or thousands of SharePoint users. A phished credential, a password spray hit, a compromised contractor account - any of those get you to the threshold for exploitation.

Affected versions: SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Enterprise Server 2016. Patch. Audit external access. Verify that Site Member permissions are not over-provisioned.

Fox Tempest: Malware Signed, Certified, Delivered

Microsoft disrupted Fox Tempest this week - a financially motivated threat actor running a malware-signing-as-a-service operation. The model: generate legitimate-looking code signing certificates with 72-hour validity windows, sign customer-submitted malware, deliver it before endpoint tools flag the cert.

Short-lived certificates are specifically designed to outrun revocation. AV and EDR tools that rely on certificate trust as a signal get bypassed. The signed payload looks legitimate at the moment of execution.

Defensive implication: certificate trust alone is not a detection control. Behavioral analysis, execution chain monitoring, and parent-child process inspection need to carry more weight than signature validation.

What This Week Means for Your Org

The pattern this week is not subtle. Attackers are targeting the tools you trust most - your EDR, your enterprise apps, your collaboration platform - and using them as delivery mechanisms or persistence points.

Three questions worth asking your team this week:

• Who has admin access to your endpoint security management console - and when was that list last reviewed?
• Do any of your ASP.NET applications share machineKey values across environments or match known defaults?
• Are your SharePoint permissions scoped appropriately, or has "Site Member" become the default for anyone who needs access to anything?

None of these require a new tool or a significant budget. They require someone actually checking.

GET IN TOUCH

uMercs runs offensive security engagements - pen testing, red team operations, and AI-assisted continuous testing - that find these issues before someone else does. Reach out at umercs.com or info@umercs.com.