Skip to main content

Acronis DeviceLock DLP CVE-2026-50033

| EUVDEUVD-2026-34172 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-06-03 security@acronis.com GHSA-769h-95cg-2m99
7.3
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 03, 2026 - 22:01 EUVD
Analysis Generated
Jun 03, 2026 - 20:34 vuln.today
CVE Published
Jun 03, 2026 - 20:16 nvd
HIGH 7.3

DescriptionCVE.org

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.

AnalysisAI

Local privilege escalation in Acronis DeviceLock DLP for Windows (builds prior to 9.0.15051.93227) enables a low-privileged local user to execute code in a higher-privileged context by abusing insecure DLL search behavior. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the combination of low complexity and a security product as the target makes it a credible insider/post-compromise risk. Exploitation requires local access plus user interaction, which limits drive-by mass abuse.

Technical ContextAI

DeviceLock DLP is an endpoint data loss prevention agent that runs with elevated privileges on Windows to enforce device control and content inspection policies. The root cause is CWE-427 (Uncontrolled Search Path Element), commonly known as DLL hijacking or DLL planting: when a process loads a library by name rather than fully qualified path, Windows walks an ordered search path (application directory, system directories, current directory, %PATH%) and will load the first match it finds. If any writable directory appears earlier in the search order than the legitimate DLL location, an attacker-supplied DLL with the expected name is loaded and executed inside the high-privileged DeviceLock process. The single NVD-referenced CPE coverage is Acronis DeviceLock DLP on Windows; no CPE 2.3 string was provided in the supplied data.

RemediationAI

Vendor-released patch: Acronis DeviceLock DLP for Windows build 9.0.15051.93227 or later - upgrade per the Acronis advisory at https://security-advisory.acronis.com/advisories/SEC-3085 as the primary fix. Until the upgrade is deployed, restrict write permissions on any directories that appear in the DeviceLock process search path (application install directory, any directory writable by non-administrators that is on %PATH%) so that standard users cannot drop a planted DLL, and audit %PATH% for world-writable entries that should be removed; the trade-off is that overly aggressive ACL changes on shared application directories can break legitimate software updates. Application allowlisting (WDAC or AppLocker) configured to block unsigned or non-Acronis-signed DLLs from loading into DeviceLock processes provides defense-in-depth at the cost of additional policy maintenance, and monitoring Sysmon Event ID 7 (ImageLoad) for unexpected module paths inside DeviceLock processes will surface in-progress exploitation attempts.

Share

CVE-2026-50033 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy