Your endpoint protection platform just became the attack surface. That is the uncomfortable reality delivered by CVE-2025-71210 and CVE-2025-71211, two critical path traversal remote code execution (RCE) vulnerabilities disclosed on February 24, 2026, in Apex One's management console. Both flaws carry a CVSS v3.1 score of 9.8, placing them at the top of the severity scale. An attacker who can reach the console can upload and execute arbitrary code — transforming the very tool deployed to protect your endpoints into an execution environment for malicious payloads.
CISA currently tracks 10 Apex One vulnerabilities that have been or are actively being exploited in the wild. History shows this class of flaw moves quickly from disclosure to weaponization. On-premises deployments require immediate action. This post explains how both CVEs work, what the full February 2026 bulletin covers, how to assess your exposure, and the exact steps you need to take to close the risk before attackers move first.
CVE-2025-71210 and CVE-2025-71211: Understanding the Path Traversal RCE
How Path Traversal Becomes Code Execution
Path traversal vulnerabilities — classified under CWE-22 — allow an attacker to manipulate file path references in HTTP requests to reach directories and files outside the intended application boundary. In the context of a management console, that boundary separates the web application layer from the underlying operating system. When that boundary fails, an attacker can write files to arbitrary locations on the server's filesystem, including directories from which executables are run.
Both CVE-2025-71210 and CVE-2025-71211 exploit improper handling of directory traversal sequences in the Apex One management console, enabling a remote, non-authenticated attacker to send a specially crafted HTTP request to upload and execute arbitrary code. While the CVEs differ in the specific executable they target, both carry identical attack vectors: network-accessible, no authentication required, no user interaction needed.
The practical outcome is complete server-side code execution under the console's process context — on a system that, by design, has administrative reach over every managed endpoint in your estate.
Two CVEs, One Console, Different Executables
CVE-2025-71211 is a path traversal vulnerability found in the Apex One management console that could enable a remote attacker to upload malicious code and execute commands on affected installations. The vulnerability is similar in scope to CVE-2025-71210 but impacts a different executable within the Apex One platform.
The fact that two distinct executables within the same console surface independently contain exploitable path traversal logic indicates a systemic input validation weakness, not an isolated coding error. Defenders should treat this as a pattern, not a coincidence.
Table: CVE-2025-71210 and CVE-2025-71211 Side-by-Side
| Attribute | CVE-2025-71210 | CVE-2025-71211 |
|---|---|---|
| CVSS v3.1 Score | 9.8 (Critical) | 9.8 (Critical) |
| Weakness | CWE-22: Path Traversal | CWE-22: Path Traversal |
| Attack Vector | Network | Network |
| Authentication Required | None | None |
| User Interaction | None | None |
| Affected Executable | Console executable 1 | Different console executable |
| Impact | RCE via malicious upload | RCE via malicious upload |
| SaaS Status | Already mitigated | Already mitigated |
| On-Premises Fix | CP Build 14136 | CP Build 14136 |
The Access Precondition: What It Means in Practice
Both CVEs carry a technical note: exploitation requires access to the Apex One management console. The vendor warns that externally exposed console IP addresses increase the risk and recommends applying source restrictions where they are not already in place.
Critically, "requires access to the console" does not mean the attack is limited to authenticated users. The access requirement refers to network reachability, not authentication. Any attacker who can send HTTP requests to the console port — whether from the internet or from a compromised internal host — satisfies this precondition. With zero-authentication exploitation after that point, network reachability is the only gate that stands between an attacker and code execution.
The Full February 2026 Bulletin: Eight Vulnerabilities Across Windows and macOS
Windows Local Privilege Escalation Flaws
The February 2026 bulletin extends well beyond the two critical RCE flaws. CVE-2025-71212 is a Scan Engine Link Following Local Privilege Escalation vulnerability (CWE-59, CVSS 7.8), and CVE-2025-71213 is an Origin Validation Error Local Privilege Escalation vulnerability (CWE-346, CVSS 7.8). An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit these vulnerabilities.
These LPE (Local Privilege Escalation) flaws are particularly relevant when considered alongside the console RCE. An attacker who achieves initial access on a managed endpoint can use CVE-2025-71212 or CVE-2025-71213 to elevate to SYSTEM — then pivot to the management console. Chaining these flaws creates a realistic multi-stage compromise scenario that begins at an endpoint and ends with administrative control over the entire Apex One-managed estate.
macOS Agent Coverage
CVE-2025-71214 through CVE-2025-71217 affect macOS agents and are provided as informational references only, as they were already addressed via ActiveUpdate and SaaS updates in mid-to-late 2025. No customer action is required for organizations that have maintained current ActiveUpdate deployments on macOS endpoints.
This distinction matters: macOS administrators who relied on ActiveUpdate are protected, while on-premises Windows deployments require the Critical Patch build to achieve equivalent protection.
Table: Full February 2026 Apex One Bulletin Summary
| CVE | Severity | CVSS | Platform | Type | Action Required |
|---|---|---|---|---|---|
| CVE-2025-71210 | Critical | 9.8 | Windows (on-prem) | Console RCE (Path Traversal) | Apply CP Build 14136 |
| CVE-2025-71211 | Critical | 9.8 | Windows (on-prem) | Console RCE (Path Traversal) | Apply CP Build 14136 |
| CVE-2025-71212 | High | 7.8 | Windows | LPE (Link Following) | Apply CP Build 14136 |
| CVE-2025-71213 | High | 7.8 | Windows | LPE (Origin Validation Error) | Apply CP Build 14136 |
| CVE-2025-71214–17 | High | 7.8 | macOS | LPE (various) | Already patched via ActiveUpdate |
Apex One's Exploitation History: Why This Matters Beyond the CVEs
A Decade-Long Pattern of Targeted Exploitation
These are not the first critical Apex One vulnerabilities to be exploited in production environments. An actively exploited Apex One RCE vulnerability (CVE-2025-54948) was patched in August 2025, and two other Apex One zero-days exploited in the wild were addressed in September 2022 (CVE-2022-40139) and September 2023 (CVE-2023-41179). CISA tracks ten Apex One vulnerabilities as having been exploited.
This pattern establishes that Apex One management consoles are actively targeted — not theoretically targeted. Threat actors have demonstrated a consistent operational interest in security management platforms, specifically because compromising them yields administrative control over every endpoint the platform manages.
Important: MITRE ATT&CK classifies this attack pattern under Tactic TA0042 (Resource Development) and Technique T1195 (Supply Chain Compromise). When attackers subvert security software infrastructure, they inherit the trust relationships that software holds with every managed device. Defenders must treat security platform compromises as a distinct threat category requiring dedicated controls.
The Security Tool as Attack Vector
Management consoles for security solutions have been a preferred target for years. They bundle rights, configuration, and agent control in a single system. An Apex One server compromised via these CVEs can be used to push malicious content to endpoints through legitimate agent channels, deploy ransomware across all managed systems simultaneously, or silently disable detection capabilities on targeted hosts — all through trusted, signed communication paths that endpoint controls will not flag.
This is not theoretical. Security platform abuse was a defining characteristic of several landmark supply chain intrusions. CVE-2025-71210 and CVE-2025-71211 create identical conditions on any on-premises deployment that remains unpatched.
Remediation: Patching, Access Control, and Verification
Apply CP Build 14136 Immediately
Apex One 2019 on-premises customers must apply CP Build 14136 from the vendor's Download Center. SaaS versions have already been mitigated, and no customer action is required for cloud-hosted deployments.
Follow this remediation sequence for on-premises environments:
- Confirm your current Apex One build version via Server → About in the management console
- Download CP Build 14136 from the official Download Center
- Prioritize servers with management consoles reachable from external IPs or broad internal segments
- Apply the patch during your next available maintenance window — or immediately if internet-exposed
- Verify the build version post-installation and document completion in your risk register
Restrict Console Access by IP — Right Now
Patching should happen in parallel with access restriction, not sequentially after it. Customers whose console's IP address is exposed externally should consider applying source restrictions if not already in place.
Implement the following access controls whether or not you have applied the patch:
- Restrict Apex One console access to specific management workstation IP ranges using firewall ACLs
- Block all internet-facing exposure of the management console port at the perimeter
- Enforce VPN requirements for any administrative access from outside the corporate network
- Review and tighten internal network ACLs to prevent broad LAN access to the console
Pro Tip: Use your existing network monitoring tools to generate a list of source IPs that have connected to your Apex One console over the past 30 days. Any IP outside your expected management IP ranges warrants investigation — a pre-patch connection from an unknown source to the console could indicate that exploitation occurred before your patch was applied.
Scanning for Exposed Instances
Before assuming your console is not externally accessible, verify it. Conducting an external scan of your IP space for the Apex One console port (default TCP 4343 for HTTPS) from an external vantage point is the only reliable way to confirm console exposure. Internal network discovery using your existing vulnerability management tooling should simultaneously identify all Apex One server instances to ensure your inventory is complete before you declare remediation done.
Table: Remediation Controls by Risk Level
| Exposure Scenario | Immediate Action | Compensating Control | Priority |
|---|---|---|---|
| Console internet-exposed, unpatched | Restrict access + patch immediately | Block at firewall | Critical |
| Console LAN-accessible, unpatched | Apply patch + restrict ACLs | Limit to management VLAN | High |
| Console LAN-accessible, patched | Verify patch + restrict ACLs | Routine monitoring | Medium |
| SaaS deployment | No action required | Confirm SaaS version | Informational |
| macOS agents, ActiveUpdate current | No action required | Verify update history | Informational |
Key Takeaways
- Apply CP Build 14136 immediately for all Apex One 2019 on-premises deployments — SaaS customers are already protected, but on-premises environments remain fully exposed without this patch
- Restrict console access by IP right now, regardless of patch status — firewall ACLs blocking external and unauthorized internal access reduce the exploitable attack surface before the patch is applied
- Scan your environment for exposed console instances — do not assume your console is unexposed; verify externally from an outside vantage point and correlate against your asset inventory
- Treat CVE-2025-71212 and CVE-2025-71213 as part of the same risk event — LPE flaws on managed endpoints can be chained with the console RCE to create a full compromise path from endpoint to management infrastructure
- Review authentication logs for pre-patch console access from unknown or unexpected source IPs — any anomalous access to the console before the patch is applied should trigger an incident response review
- Assess your broader security platform exposure posture — if your Apex One console is internet-accessible, audit all other security management platforms in your environment for similar exposure
Conclusion
CVE-2025-71210 and CVE-2025-71211 crystallize a threat model that every security team should internalize: the platforms designed to protect your environment are high-value targets precisely because of the access they hold. A path traversal flaw in the Apex One management console is not a product-specific anomaly — it is a recurring category of risk in security management infrastructure, and CISA's catalog of ten actively exploited Apex One vulnerabilities confirms that adversaries have understood this for years.
The technical response is clear: patch on-premises deployments to CP Build 14136, enforce source IP restrictions on the management console, and verify your exposure posture through active scanning. Then take a wider view. Every security management platform in your environment should face the same scrutiny — restricted access, external exposure verification, and a defined patching SLA that treats critical security tool vulnerabilities as a distinct priority tier above general server patching.
Patch the console. Then lock the door.
Frequently Asked Questions
Q: Do CVE-2025-71210 and CVE-2025-71211 require authentication to exploit? A: No. Both vulnerabilities require only that an attacker have network access to reach the Apex One management console. Once network access exists, exploitation proceeds without any authentication, privileges, or user interaction. The "access to the console" precondition in the official advisory refers to network reachability, not credential requirements.
Q: Are cloud-hosted or SaaS Apex One deployments affected? A: No customer action is required for SaaS and cloud-hosted Apex One deployments. The vendor applied mitigations to SaaS versions before the February 24, 2026 public disclosure. On-premises Apex One 2019 deployments are the only installations that require the Critical Patch Build 14136 to remediate CVE-2025-71210 and CVE-2025-71211.
Q: What is the specific fix, and where do I obtain it? A: The fix is Critical Patch (CP) Build 14136 for Apex One 2019 on-premises. It is available from the official vendor Download Center. The patch addresses both critical console RCE vulnerabilities as well as the two high-severity Windows local privilege escalation flaws (CVE-2025-71212 and CVE-2025-71213) in the same build.
Q: Is there evidence of active exploitation of CVE-2025-71210 or CVE-2025-71211 in the wild? A: As of the February 24, 2026 disclosure, the vendor reported that both CVEs were submitted through responsible disclosure via the Zero Day Initiative with no confirmed active exploitation observed at time of disclosure. However, given the prior active exploitation of closely related Apex One vulnerabilities — including CVE-2025-54948 just six months earlier — the window between disclosure and weaponization should be treated as very short, and patching timelines should reflect that.
Q: If I cannot patch immediately, what is the most effective interim control? A: Restricting network access to the Apex One management console via firewall ACLs or host-based access control lists is the most effective interim control. Limiting console access to specific, known management IP addresses eliminates the network reachability precondition that both CVEs depend on. This control also provides defense-in-depth value even after patching, and should be maintained as a permanent configuration alongside the patch.