HIGH 7.3

CVE-2026-44682: Acronis DeviceLock DLP Local Privilege Escalation via DLL Hijacking

Acronis DeviceLock DLP for Windows contains a vulnerability that allows a local user to gain elevated system privileges through DLL hijacking. An attacker with basic user-level access can exploit this flaw to escalate to administrator or system privileges, potentially compromising the entire endpoint. The vulnerability requires the user to interact with the application, such as launching a dialog or feature that triggers the malicious DLL load.

Source data · NVD / CISA · public domain

CVSS
3.0 · 7.3 HIGH · CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-427
Affected products
0 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This is a local privilege escalation (LPE) vulnerability stemming from unsafe DLL loading practices (CWE-427). DeviceLock DLP does not properly validate DLL paths or implement secure search-order practices, allowing an attacker to place a malicious DLL in a location where the application will load it with elevated privileges. The attack surface is local; the attacker must have an account on the target system and user interaction is required to trigger the vulnerable code path. The CVSS 3.0 score of 7.3 reflects the combination of local attack vector, low complexity, low privilege requirement, and complete compromise of confidentiality, integrity, and availability.

Business impact

A successful exploit could allow an insider or low-privileged user to assume administrative control of an endpoint running DeviceLock DLP, bypassing endpoint security controls and DLP protections that the software was meant to enforce. This creates a significant risk for organizations relying on DeviceLock for data loss prevention and compliance, as the protective layer itself becomes a liability if compromised. Potential impacts include unauthorized data exfiltration, malware installation, lateral movement to other systems, and tampering with audit logs.

Affected systems

Acronis DeviceLock DLP for Windows before build 9.0.15051.93227 is affected. Organizations should verify their deployed version against this build number. The vulnerability is Windows-specific; other platforms supported by DeviceLock are not mentioned as affected.

Exploitability

Exploitability is moderate. The attack requires local system access and user interaction to trigger the vulnerable code path, which limits opportunistic mass exploitation but does not eliminate risk in environments where users have standard accounts or contractor/temporary access. No public exploit code or active exploitation in the wild has been documented, and the vulnerability is not tracked on the CISA Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Organizations must upgrade Acronis DeviceLock DLP to build 9.0.15051.93227 or later. This requires coordination with patch management and change control processes. In the interim, organizations should apply principle-of-least-privilege practices, restrict local administrator availability, and monitor for suspicious DLL loading or unusual process behavior on affected endpoints.

Patch guidance

Verify the current build number of DeviceLock DLP in your environment by checking the application version details or via vendor deployment tools. Obtain and validate the patch from Acronis through official channels, confirm compatibility with your existing deployment and any dependent integrations, and test in a controlled environment before rolling out to production. Ensure proper rollback procedures are documented before proceeding with widespread deployment.

Detection guidance

Monitor for unsigned or unexpected DLLs being loaded by DeviceLock processes (DeviceLock.exe, related services). Examine File Create and DLL Load events in Windows Event Tracing or Sysmon logs for DLLs written to directories that precede the legitimate search path (current directory, temporary folders, user profile directories). Correlate with privilege escalation events (token impersonation, process creation with elevated tokens). Antivirus and EDR tools should be tuned to alert on DLL hijacking patterns specific to Acronis processes.

Why prioritize this

This vulnerability merits prompt remediation due to its HIGH severity, complete compromise potential (confidentiality, integrity, availability all affected), and the critical role of DLP software in compliance and data protection posture. While exploitability requires local access and user interaction, insider threats and compromised user accounts are common attack vectors. The build-specific patch (9.0.15051.93227) provides a clear remediation target and should be treated as urgent in environments where DeviceLock is a core security control.

Risk score, explained

The CVSS 3.0 score of 7.3 (HIGH) reflects: local attack vector (reduces initial compromise difficulty but limits blast radius), low attack complexity (no sophisticated techniques required), low privilege requirement (any authenticated user can attempt), required user interaction (slightly reduces likelihood), and high impact across confidentiality, integrity, and availability. The score appropriately reflects the serious nature of LPE in a security-critical tool but acknowledges that exploitation requires prior local access.

Frequently asked questions

Do I need to patch if users do not have local administrator rights?

Yes. DLL hijacking vulnerabilities can allow escalation from any user account to administrator. Even if your users run as standard users, a compromised or malicious standard account can exploit this to gain full system control. Patching is essential regardless of privilege model.

Is this vulnerability being actively exploited?

No. The vulnerability is not listed on the CISA KEV catalog, and there is no public evidence of widespread exploitation. However, absence of known exploitation does not mean it is safe to delay patching; DLL hijacking is a well-understood attack technique that can be weaponized by motivated threat actors.

Can I mitigate this without patching?

Partial mitigations include restricting local logon privileges, enforcing application whitelisting, and monitoring DLL loads for anomalies. However, these are detective or preventive controls, not fixes for the underlying vulnerability. Patching is the only true remediation.

Which build of DeviceLock am I running?

Open DeviceLock, navigate to Help > About or check Control Panel > Programs > Programs and Features for the version number. Cross-reference against build 9.0.15051.93227 to determine if you are affected. If unsure, contact Acronis support with your system details.

This analysis is provided for informational purposes and does not constitute legal, compliance, or professional security advice. Organizations must conduct their own risk assessment and validation of patches before deployment. Information in this page is current as of the publication date and may be subject to updates from Acronis or the cybersecurity community. Always verify patch version numbers and compatibility matrices against official vendor advisories before implementation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).