Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.
AnalysisAI
Local privilege escalation in Acronis DeviceLock DLP for Windows (builds prior to 9.0.15051.93227) enables a low-privileged local user to execute code in a higher-privileged context by abusing insecure DLL search behavior. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the combination of low complexity and a security product as the target makes it a credible insider/post-compromise risk. Exploitation requires local access plus user interaction, which limits drive-by mass abuse.
Technical ContextAI
DeviceLock DLP is an endpoint data loss prevention agent that runs with elevated privileges on Windows to enforce device control and content inspection policies. The root cause is CWE-427 (Uncontrolled Search Path Element), commonly known as DLL hijacking or DLL planting: when a process loads a library by name rather than fully qualified path, Windows walks an ordered search path (application directory, system directories, current directory, %PATH%) and will load the first match it finds. If any writable directory appears earlier in the search order than the legitimate DLL location, an attacker-supplied DLL with the expected name is loaded and executed inside the high-privileged DeviceLock process. The single NVD-referenced CPE coverage is Acronis DeviceLock DLP on Windows; no CPE 2.3 string was provided in the supplied data.
RemediationAI
Vendor-released patch: Acronis DeviceLock DLP for Windows build 9.0.15051.93227 or later - upgrade per the Acronis advisory at https://security-advisory.acronis.com/advisories/SEC-3085 as the primary fix. Until the upgrade is deployed, restrict write permissions on any directories that appear in the DeviceLock process search path (application install directory, any directory writable by non-administrators that is on %PATH%) so that standard users cannot drop a planted DLL, and audit %PATH% for world-writable entries that should be removed; the trade-off is that overly aggressive ACL changes on shared application directories can break legitimate software updates. Application allowlisting (WDAC or AppLocker) configured to block unsigned or non-Acronis-signed DLLs from loading into DeviceLock processes provides defense-in-depth at the cost of additional policy maintenance, and monitoring Sysmon Event ID 7 (ImageLoad) for unexpected module paths inside DeviceLock processes will surface in-progress exploitation attempts.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34172
GHSA-769h-95cg-2m99