A critical privilege escalation vulnerability has been discovered in multiple versions of DriveLock security products. This flaw allows a local, unprivileged user on a Windows computer to manipulate privileged DriveLock processes, enabling them to gain full administrative control over the system. Successful exploitation could lead to a complete system compromise, data theft, or the deployment of malware such as ransomware.

This vulnerability is a local privilege escalation (LPE) on the Windows operating system. An attacker with standard, low-privilege user access to an endpoint can exploit an unspecified flaw within a DriveLock process that is running with elevated (e.g., SYSTEM) permissions. By manipulating this process, the attacker can force it to execute arbitrary code with the same high-level privileges, effectively escalating their own permissions from a standard user to a system administrator.

This vulnerability is rated as critical severity with a CVSS score of 9.9, reflecting the ease of exploitation and the total impact on a compromised system. An attacker who successfully exploits this flaw gains complete control over the affected endpoint. This allows them to bypass all security controls, install persistent malware, access, modify, or exfiltrate any sensitive data on the machine, and potentially use the compromised system as a pivot point to attack other resources on the corporate network. The direct risks to the organization include data breaches, ransomware infection, operational disruption, and reputational damage.

Immediate Action: Immediately apply the security updates provided by the vendor. Administrators should update all affected DriveLock installations to the following patched versions or later:

• DriveLock 24.1.6
• DriveLock 24.2.7
• DriveLock 25.1.5

After patching, monitor systems for any signs of exploitation attempts and review security and application logs for anomalous activity preceding the update.

Proactive Monitoring: Security teams should monitor for indicators of compromise related to this vulnerability. This includes observing Windows Security Event Logs for unusual process creation originating from DriveLock services (e.g., cmd.exe or powershell.exe spawned by a DriveLock process). Monitor for unexpected file modifications within DriveLock's installation directories and for suspicious command-line arguments passed to system utilities.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce risk. Enforce the principle of least privilege by ensuring standard user accounts have no unnecessary permissions. Utilize application control or whitelisting solutions to prevent the execution of unauthorized tools that an attacker might use post-escalation. Deploy and configure an Endpoint Detection and Response (EDR) solution to detect and block suspicious behavior patterns associated with privilege escalation.

Public Exploit Available: false

Given the critical severity (CVSS 9.9) of this vulnerability, immediate remediation is strongly recommended. This flaw provides a direct path for a low-privilege user to achieve full system compromise, representing a significant threat to endpoint security. Although it is not currently listed on the CISA KEV catalog, its high impact and low attack complexity warrant urgent attention. Organizations must prioritize the deployment of the vendor-provided patches across all affected Windows endpoints to mitigate the risk of compromise.