CVE-2026-42061: Acronis DeviceLock DLP Local Privilege Escalation (CVSS 7.3)
Acronis DeviceLock DLP on Windows contains a local privilege escalation vulnerability stemming from improper permission assignment to child processes. An authenticated user with limited privileges can exploit this flaw to gain elevated system access, potentially compromising data loss prevention controls and system integrity. The vulnerability requires local access and user interaction but delivers high-impact consequences including confidentiality, integrity, and availability breaches.
Source data · NVD / CISA · public domain
- CVSS
- 3.0 · 7.3 HIGH · CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-250
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Local privilege escalation due to excessive permissions assigned to child processes. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42061 is rooted in CWE-250 (Execution with Unnecessary Privileges), where child processes inherit or are assigned excessive permissions beyond their operational requirements. Acronis DeviceLock DLP versions prior to build 9.0.15051.93227 are vulnerable. An authenticated local user can trigger privilege escalation through a vector requiring user interaction (UI:R). The CVSS 3.0 vector (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) indicates low attack complexity and unrestricted scope impact across confidentiality, integrity, and availability.
Business impact
DeviceLock DLP is a data loss prevention product; compromise of its escalation controls directly undermines its core protective function. An attacker gaining elevated privileges can bypass DLP policies, exfiltrate sensitive data, modify security configurations, or disable monitoring. Organizations relying on DeviceLock for compliance (e.g., HIPAA, PCI-DSS, GDPR) face policy violation exposure. Incident response and forensic analysis complexity increases when DLP itself becomes an attack surface.
Affected systems
Acronis DeviceLock DLP for Windows is affected in all versions before build 9.0.15051.93227. Organizations should inventory DeviceLock deployments and verify build numbers against this threshold. Linux and macOS variants of DeviceLock are not mentioned in the advisory and should be considered separately per vendor guidance.
Exploitability
Exploitation requires an authenticated local user account with standard privileges and user interaction (such as clicking a malicious link or launching a crafted application). The attack complexity is low, meaning no special conditions or timing are necessary beyond these baseline requirements. While not remotely exploitable, the combination of local access, low complexity, and high impact creates a meaningful risk in environments where endpoint security posture is inconsistent or where privileged users may be targeted by social engineering.
Remediation
Update Acronis DeviceLock DLP for Windows to build 9.0.15051.93227 or later. Verify the installed build number in the product's About or Settings dialog. Plan updates during maintenance windows to minimize DLP monitoring gaps. Test patch deployment in a non-production environment first to confirm compatibility with existing DLP policies and endpoint configurations.
Patch guidance
Acronis typically distributes updates through its management console or manual download portal. Confirm the exact build version available from Acronis (verify against vendor advisory), then deploy via your organization's standard software distribution mechanism. Because DeviceLock is often critical to compliance workflows, coordinate patching with security and operations teams. Monitor post-patch functionality to ensure DLP rules and integrations remain intact.
Detection guidance
Monitor for child process creation with elevated or unexpected privileges using endpoint detection and response (EDR) tools. Log successful and failed privilege escalation attempts at the operating system level (Windows Event Viewer: Event ID 4672 for special logon). Alert on anomalous access to DeviceLock configuration files or registry keys. Review process auditing logs for instances of legitimate DeviceLock processes spawning children with SYSTEM or other elevated tokens when Business Logic does not warrant this.
Why prioritize this
Although not yet listed on CISA's KEV catalog, this vulnerability merits high priority due to its CVSS 7.3 HIGH rating, the central role of DLP in data protection strategies, and the relative ease of local exploitation. Organizations should prioritize patching before higher-complexity remote vulnerabilities in less critical products. The presence of user interaction slightly reduces urgency compared to wormable flaws, but the impact to confidentiality, integrity, and availability justifies early remediation.
Risk score, explained
The CVSS 3.0 score of 7.3 reflects a local-only attack vector (AV:L) with low complexity (AC:L), requiring authenticated access (PR:L) and user interaction (UI:R). Impact is high across all three security pillars (C:H/I:H/A:H), and the scope is unchanged (S:U). The score does not account for business context; organizations running DeviceLock for critical compliance workflows may assign internal risk higher than the base CVSS suggests.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The CVSS vector AV:L (Attack Vector: Local) and the description both confirm that exploitation requires local system access. Remote attackers cannot directly trigger this privilege escalation; however, a remote compromise leading to local user account access could enable subsequent exploitation of this flaw.
Does this affect all Acronis products?
No, only Acronis DeviceLock DLP for Windows is mentioned. Other Acronis products (backup, disaster recovery solutions) and non-Windows editions of DeviceLock are outside the scope of this CVE unless explicitly stated in updated vendor advisories.
What should we do if we cannot patch immediately?
Mitigate by restricting local user logon privileges where possible, enforcing multi-factor authentication to raise the barrier for compromised credentials, and enhancing monitoring of process creation and privilege escalation events. However, these measures are compensating controls and not substitutes for patching. Schedule the update as soon as feasible.
Is there a workaround available from Acronis?
The advisory references build 9.0.15051.93227 as the fix; consult the Acronis security bulletin for any interim guidance or workarounds. SEC.co recommends contacting Acronis Support directly if your deployment cannot update immediately.
This analysis is provided for informational purposes and based on publicly available information as of the publication date. Organizations must verify all technical claims, patch availability, and affected build numbers against official Acronis security advisories and their own system configurations. SEC.co makes no warranty regarding exploit availability, real-world attack prevalence, or the effectiveness of suggested mitigations in any particular environment. Consult your vendor and security team before implementing changes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-12694HIGHForcepoint VPN Client Local Privilege Escalation (CVSS 7.8 HIGH)
- CVE-2026-10843HIGHOpenShift Cloud Credential Operator AWS IAM Over-Permissioning Vulnerability
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction