Trendai Incident Response (Ir) Team

**Name of the Vulnerable Software and Affected Versions** Apex One (on-premise) versions prior to SP1 Build 18012 Apex One (new installs) versions prior to 17079 Apex One (SaaS agent) versions prior to 14.0.20731 **Description** A directory traversal issue in the on-premise management server allows an attacker with local or remote administrative credentials to modify a deployment table. By doing so, the attacker can inject malicious code into the next agent package distributed by the server. Consequently, every managed endpoint receives the payload during routine updates, turning the security software's distribution channel into a vector for deploying code to the systems it is intended to protect. At least one real-world exploitation attempt has been recorded. **Recommendations** Update Apex One SP1 to Build 18012. Update new installations of Apex One to version 17079. Update SaaS agents to version 14.0.20731. Audit users with administrative access to the endpoint protection console and restrict access to the server to minimize the risk of exploitation.