Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Local privilege escalation due to EXE hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.
AnalysisAI
Local privilege escalation in Acronis DeviceLock DLP for Windows (builds prior to 9.0.15051.93227) allows a low-privileged local user to hijack the execution of a trusted DeviceLock executable and run arbitrary code with elevated rights. The flaw is rooted in CWE-427 (Uncontrolled Search Path Element), commonly seen when an application loads a binary from a writable or attacker-controllable location. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
DeviceLock DLP is an endpoint data loss prevention agent that runs privileged Windows services to enforce device/port control policies; such agents typically auto-launch helper executables during update, repair, or scheduled tasks. CWE-427 (Uncontrolled Search Path Element) means the product locates and executes a binary using a search order or path that an unprivileged attacker can influence - for example a writable application directory, a per-user PATH entry, or an unquoted service path. When the privileged DeviceLock component invokes the hijacked EXE, the attacker's code inherits the service's SYSTEM-level token, completely subverting the DLP agent that is meant to enforce policy on the endpoint.
RemediationAI
Vendor-released patch: Acronis DeviceLock DLP for Windows build 9.0.15051.93227 or later - upgrade all endpoints to this build per the advisory at https://security-advisory.acronis.com/advisories/SEC-3084. Until patches can be deployed, apply compensating controls focused on the hijack precondition: audit DeviceLock's installation directory and service ImagePath entries with tools like icacls and Sysinternals AccessChk to confirm only SYSTEM/Administrators have write access (trade-off: requires per-host inventory and may flag legitimate post-install customizations), remove any non-admin write permissions on the DeviceLock program folder and parent directories, and restrict interactive logon on hosts where DeviceLock runs since exploitation requires a local account plus user interaction (trade-off: reduces convenience on shared workstations). Increase EDR sensitivity for child processes spawned by DeviceLock service binaries from non-standard paths to detect attempted hijacks while patching is in flight.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34171
GHSA-qgh2-4v7g-2cmc