Skip to main content

Idrive Cloud Backup Client For Windows CVE-2026-1995

| EUVDEUVD-2026-14949 HIGH
2026-03-24 certcc GHSA-c236-24xj-j3g6
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:17 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
7.0.0.63
EUVD ID Assigned
Mar 24, 2026 - 18:31 euvd
EUVD-2026-14949
Analysis Generated
Mar 24, 2026 - 18:31 vuln.today
CVE Published
Mar 24, 2026 - 18:00 nvd
HIGH 7.8

DescriptionCVE.org

IDrive’s id_service.exe process runs with elevated privileges and regularly reads from several files under the C:\ProgramData\IDrive\ directory. The UTF16-LE encoded contents of these files are used as arguments for starting a process, but they can be edited by any standard user logged into the system. An attacker can overwrite or edit the files to specify a path to an arbitrary executable, which will then be executed by the id_service.exe process with SYSTEM privileges.

AnalysisAI

IDrive's id_service.exe process, which runs with SYSTEM-level privileges on Windows systems, is vulnerable to privilege escalation and arbitrary code execution due to insecure file handling. The vulnerability affects IDrive Cloud Backup Client for Windows across multiple versions, as the elevated service process reads UTF16-LE encoded configuration files from C:\ProgramData\IDrive\ that are writable by standard unprivileged users. An attacker with local user access can modify these files to inject arbitrary executable paths, causing id_service.exe to execute malicious code with SYSTEM privileges, resulting in complete system compromise. While CVSS and EPSS scores are not available, this represents a critical local privilege escalation vector with trivial exploitability due to the file write permissions on the ProgramData directory.

Technical ContextAI

The vulnerability stems from an insecure inter-process communication (IPC) pattern where a Windows service running under the SYSTEM account (id_service.exe) trusts input from world-writable configuration files without proper validation. The affected product is IDrive Cloud Backup Client for Windows, identified via CPE cpe:2.3:a:idrive:idrive_cloud_backup_client_for_windows:*:*:*:*:*:*:*:*. The root cause aligns with CWE-426 (Untrusted Search Path) and CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), as the service reads file paths and UTF16-LE encoded arguments without sanitization before passing them to process creation APIs. The C:\ProgramData\ directory, while system-managed, maintains write permissions for authenticated local users by default in many Windows configurations, making it a weak trust boundary. The service's use of UTF16-LE encoding suggests Windows-native APIs (likely CreateProcessW or similar) are directly consuming the file contents, bypassing opportunity for validation layers.

RemediationAI

IDrive users should prioritize applying the latest security patch released by IDrive for their Cloud Backup Client for Windows installation; version information and downloads are available through IDrive's official support portal and the CERT/CC advisory at https://kb.cert.org/vuls/id/330121. Pending patch deployment, system administrators should apply the following mitigations: restrict write permissions on C:\ProgramData\IDrive\ to SYSTEM and Administrators groups only (removing standard user write access via NTFS ACLs), disable or uninstall IDrive services on multi-user systems where privilege escalation risk is unacceptable, run id_service.exe under a least-privilege service account if the product supports it, and monitor file modifications in the ProgramData\IDrive directory using Windows Auditing or endpoint detection and response (EDR) tools. On shared or high-risk systems, consider containerizing or sandboxing the IDrive service until a patch is verified and deployed.

Share

CVE-2026-1995 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy