Skip to main content

Acronis DeviceLock DLP CVE-2026-44609

| EUVDEUVD-2026-34171 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-06-03 security@acronis.com GHSA-qgh2-4v7g-2cmc
7.3
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 03, 2026 - 22:01 EUVD
Analysis Generated
Jun 03, 2026 - 20:33 vuln.today
CVE Published
Jun 03, 2026 - 20:16 nvd
HIGH 7.3

DescriptionCVE.org

Local privilege escalation due to EXE hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.

AnalysisAI

Local privilege escalation in Acronis DeviceLock DLP for Windows (builds prior to 9.0.15051.93227) allows a low-privileged local user to hijack the execution of a trusted DeviceLock executable and run arbitrary code with elevated rights. The flaw is rooted in CWE-427 (Uncontrolled Search Path Element), commonly seen when an application loads a binary from a writable or attacker-controllable location. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

DeviceLock DLP is an endpoint data loss prevention agent that runs privileged Windows services to enforce device/port control policies; such agents typically auto-launch helper executables during update, repair, or scheduled tasks. CWE-427 (Uncontrolled Search Path Element) means the product locates and executes a binary using a search order or path that an unprivileged attacker can influence - for example a writable application directory, a per-user PATH entry, or an unquoted service path. When the privileged DeviceLock component invokes the hijacked EXE, the attacker's code inherits the service's SYSTEM-level token, completely subverting the DLP agent that is meant to enforce policy on the endpoint.

RemediationAI

Vendor-released patch: Acronis DeviceLock DLP for Windows build 9.0.15051.93227 or later - upgrade all endpoints to this build per the advisory at https://security-advisory.acronis.com/advisories/SEC-3084. Until patches can be deployed, apply compensating controls focused on the hijack precondition: audit DeviceLock's installation directory and service ImagePath entries with tools like icacls and Sysinternals AccessChk to confirm only SYSTEM/Administrators have write access (trade-off: requires per-host inventory and may flag legitimate post-install customizations), remove any non-admin write permissions on the DeviceLock program folder and parent directories, and restrict interactive logon on hosts where DeviceLock runs since exploitation requires a local account plus user interaction (trade-off: reduces convenience on shared workstations). Increase EDR sensitivity for child processes spawned by DeviceLock service binaries from non-standard paths to detect attempted hijacks while patching is in flight.

Share

CVE-2026-44609 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy