In DriveLock 24.1.4 before 24.1.5, 24.2.5 before 24.2.6, and 25.1.2 before 25.1.4, attackers can gain elevated privileges.
The vulnerability results from improper privilege management (CWE-269) in DriveLock software. An attacker with only basic user privileges (PR:L) can, through the network (AV:N), without victim interaction (UI:N), cause privilege escalation. The CVSS vector indicates a scope change (S:C), meaning the impact of the attack may extend beyond the directly attacked component and affect other parts of the infrastructure.
An attacker can obtain elevated privileges, leading to complete compromise of confidentiality, integrity, and availability of the system (C:H, I:H, A:H). In practice, this may mean complete system takeover, modification of security configurations, or access to protected resources.
DriveLock should be updated to version 24.1.5, 24.2.6, or 25.1.4 depending on the product branch in use. Details are available in the manufacturer's official security notes (Security Bulletin 25-001) at the addresses indicated in the references.
DriveLock in versions: 24.1.4 (before 24.1.5), 24.2.5 (before 24.2.6), and 25.1.2 (before 25.1.4)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HDrivelock
APPDrivelock24.1.424.2.525.1.2
Related vulnerabilities
DriveLock — eskalacja uprawnień przez manipulację procesami uprzywilejowanymi
XSS w DriveLock Operations Center umożliwiający przejęcie sesji
DriveLock — obejście uwierzytelniania agenta (Auth Bypass) w DES
DriveLock — nieautoryzowana eskalacja uprawnień do roli Supervisor przez API
An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unp...