Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.
AnalysisAI
Local privilege escalation in Acronis DeviceLock DLP for Windows (builds prior to 9.0.15051.93227) enables an authenticated low-privileged user to execute code in a higher-privileged context by abusing uncontrolled DLL search path loading. Exploitation requires local access plus user interaction, and at the time of analysis no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The vendor (Acronis PSIRT) has published advisory SEC-11249 with a fixed build.
Technical ContextAI
DeviceLock DLP is an endpoint data-loss-prevention agent that runs privileged Windows services to enforce device, port, and content policies on workstations. The flaw is a CWE-427 Uncontrolled Search Path Element (DLL hijacking / DLL preloading): one or more DeviceLock executables load a DLL by unqualified name, allowing Windows' default search order to resolve it from a directory the attacker can write to (typically the application's working directory or a user-writable PATH entry) before the legitimate system location. When the targeted process runs at a higher integrity level than the attacker, the malicious DLL is loaded in that privileged context, yielding code execution at the host process's privilege level. CPE data is not provided in the input; affected scope is identified by product/build string from the description.
RemediationAI
Vendor-released patch: Acronis DeviceLock DLP (Windows) build 9.0.15051.93227 or later - upgrade all endpoint agents and management components to that build per Acronis advisory SEC-11249 (https://security-advisory.acronis.com/advisories/SEC-11249). Until patching is completed, apply targeted compensating controls: restrict write permissions on the DeviceLock installation directory and any per-user working directories used to launch its executables so standard users cannot drop DLLs there; remove user-writable directories from the system PATH; and use AppLocker or Windows Defender Application Control to allow only Acronis-signed DLLs to load into DeviceLock processes. Each of these has trade-offs - ACL tightening can break in-place updates if the installer is run from a user context, PATH hygiene can disrupt legitimate user tooling, and WDAC/AppLocker rules require an audit phase to avoid blocking legitimate third-party plug-ins. EDR rules that alert on DLL loads from unusual paths into DeviceLock binaries are a useful detection-side backstop.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34174
GHSA-3w7q-wcq7-c2vr