Skip to main content

Acronis DeviceLock DLP CVE-2026-44682

| EUVDEUVD-2026-34174 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-06-03 security@acronis.com GHSA-3w7q-wcq7-c2vr
7.3
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 03, 2026 - 22:01 EUVD
Analysis Generated
Jun 03, 2026 - 20:33 vuln.today
CVE Published
Jun 03, 2026 - 20:16 nvd
HIGH 7.3

DescriptionCVE.org

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.

AnalysisAI

Local privilege escalation in Acronis DeviceLock DLP for Windows (builds prior to 9.0.15051.93227) enables an authenticated low-privileged user to execute code in a higher-privileged context by abusing uncontrolled DLL search path loading. Exploitation requires local access plus user interaction, and at the time of analysis no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The vendor (Acronis PSIRT) has published advisory SEC-11249 with a fixed build.

Technical ContextAI

DeviceLock DLP is an endpoint data-loss-prevention agent that runs privileged Windows services to enforce device, port, and content policies on workstations. The flaw is a CWE-427 Uncontrolled Search Path Element (DLL hijacking / DLL preloading): one or more DeviceLock executables load a DLL by unqualified name, allowing Windows' default search order to resolve it from a directory the attacker can write to (typically the application's working directory or a user-writable PATH entry) before the legitimate system location. When the targeted process runs at a higher integrity level than the attacker, the malicious DLL is loaded in that privileged context, yielding code execution at the host process's privilege level. CPE data is not provided in the input; affected scope is identified by product/build string from the description.

RemediationAI

Vendor-released patch: Acronis DeviceLock DLP (Windows) build 9.0.15051.93227 or later - upgrade all endpoint agents and management components to that build per Acronis advisory SEC-11249 (https://security-advisory.acronis.com/advisories/SEC-11249). Until patching is completed, apply targeted compensating controls: restrict write permissions on the DeviceLock installation directory and any per-user working directories used to launch its executables so standard users cannot drop DLLs there; remove user-writable directories from the system PATH; and use AppLocker or Windows Defender Application Control to allow only Acronis-signed DLLs to load into DeviceLock processes. Each of these has trade-offs - ACL tightening can break in-place updates if the installer is run from a user context, PATH hygiene can disrupt legitimate user tooling, and WDAC/AppLocker rules require an audit phase to avoid blocking legitimate third-party plug-ins. EDR rules that alert on DLL loads from unusual paths into DeviceLock binaries are a useful detection-side backstop.

Share

CVE-2026-44682 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy