CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-55187

CVSS 9.9v3.1pub. 2025-09-26upd. 2025-10-08

In DriveLock 24.1.4 before 24.1.5, 24.2.5 before 24.2.6, and 25.1.2 before 25.1.4, attackers can gain elevated privileges.

🤖 AI Analysis
How it works

The vulnerability results from improper privilege management (CWE-269) in DriveLock software. An attacker with only basic user privileges (PR:L) can, through the network (AV:N), without victim interaction (UI:N), cause privilege escalation. The CVSS vector indicates a scope change (S:C), meaning the impact of the attack may extend beyond the directly attacked component and affect other parts of the infrastructure.

Impact

An attacker can obtain elevated privileges, leading to complete compromise of confidentiality, integrity, and availability of the system (C:H, I:H, A:H). In practice, this may mean complete system takeover, modification of security configurations, or access to protected resources.

Mitigation & patch

DriveLock should be updated to version 24.1.5, 24.2.6, or 25.1.4 depending on the product branch in use. Details are available in the manufacturer's official security notes (Security Bulletin 25-001) at the addresses indicated in the references.

Who is affected

DriveLock in versions: 24.1.4 (before 24.1.5), 24.2.5 (before 24.2.6), and 25.1.2 (before 25.1.4)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Drivelock

    APP
    Drivelock
    24.1.424.2.525.1.2
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2025-67781CRITICAL9.9PL ✓ten sam produkt

DriveLock — eskalacja uprawnień przez manipulację procesami uprzywilejowanymi

CVE-2025-67787CRITICAL9.6PL ✓ten sam produkt

XSS w DriveLock Operations Center umożliwiający przejęcie sesji

CVE-2025-67791CRITICAL9.8PL ✓ten sam produkt

DriveLock — obejście uwierzytelniania agenta (Auth Bypass) w DES

CVE-2025-67793CRITICAL9.8PL ✓ten sam produkt

DriveLock — nieautoryzowana eskalacja uprawnień do roli Supervisor przez API

CVE-2025-67792HIGH7.8ten sam produkt

An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unp...