Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Symantec Data Loss Prevention Windows Endpoint, prior to 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.
AnalysisAI
Elevation of privilege in Symantec Data Loss Prevention Windows Endpoint allows authenticated local users to gain SYSTEM-level access and compromise protected resources. Affects all versions prior to 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15. CVSS 7.8 (High) reflects the local attack vector but complete system compromise upon successful exploitation. No public exploit identified at time of analysis, though the CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) classification suggests potential DLL hijacking or similar trust boundary violations.
Technical ContextAI
The vulnerability stems from CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), indicating the DLP Windows endpoint agent may load or execute code from locations controllable by lower-privileged users. This class of vulnerability commonly manifests through unquoted service paths, insecure directory permissions allowing DLL planting, or loading configuration/plugins from user-writable locations. The Symantec/Broadcom DLP Windows Endpoint runs with elevated privileges to monitor data exfiltration attempts across applications, clipboard operations, and network traffic. The affected CPE (cpe:2.3:a:broadcom:data_loss_prevention) covers the Windows endpoint agent component specifically, which operates as a kernel-mode driver and user-mode service. When such agents trust user-controlled paths or fail to validate code integrity, authenticated users can inject malicious libraries or executables that inherit the agent's SYSTEM context. The 'Information Disclosure' and 'Microsoft' tags suggest this may also expose sensitive DLP policy configurations or monitored data during the privilege escalation process.
RemediationAI
Organizations must upgrade Symantec Data Loss Prevention Windows Endpoint agents to patched versions based on their current release branch. For version 25.x deployments, upgrade to 25.1 MP1 or later. For version 16.1 deployments, upgrade to 16.1 MP2 or later. For version 16.0 RU2 deployments, upgrade to 16.0 RU2 HF9 or later. For version 16.0 RU1 deployments, upgrade to 16.0 RU1 MP1 HF12 or later. For version 16.0 maintenance pack deployments, upgrade to 16.0 MP2 HF15 or later. The Broadcom security advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37306 provides release-specific upgrade paths and installation packages. As an interim mitigation where immediate patching is not feasible, restrict local user privileges on systems running DLP agents, enforce application control policies to prevent unauthorized code execution, and monitor DLP agent service integrity through endpoint detection and response (EDR) solutions. No workaround fully mitigates the vulnerability; patching remains the definitive remediation.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17164
GHSA-6r2p-x2m4-j49c