Description
Local privilege escalation due to excessive permissions assigned to child processes. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.
Published: 2026-06-03
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Acronis DeviceLock DLP for Windows contains a flaw that allows a local user to gain elevated privileges by exploiting child processes that run with excessive permissions. The vulnerability arises from misconfigured privilege assignment in process creation, permitting a local attacker to execute code with higher authority than intended. This impacts confidentiality, integrity, and availability by enabling unauthorized modification or execution of system resources confined to the malicious user.

Affected Systems

The affected product is Acronis DeviceLock DLP for Windows, specifically builds prior to 9.0.15051.93227. All installations on Windows systems that have not upgraded beyond this build are vulnerable.

Risk and Exploitability

The CVSS base score of 7.3 indicates high severity. EPSS is not available, so the data set does not provide an exploitation probability metric. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires local access and does not need network exposure; a local adversary can invoke the affected child process to elevate privileges. The nature of the flaw is a CWE‑250 (Insecure Permissions) attack.

Generated by OpenCVE AI on June 3, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Acronis DeviceLock DLP to build 9.0.15051.93227 or later
  • Restart the system after applying the update to ensure child processes reload with correct permissions
  • Audit and review account permissions to confirm that non‑admin users do not have unnecessary rights to spawn DeviceLock child processes

Generated by OpenCVE AI on June 3, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Over‑Permissioned Child Processes in Acronis DeviceLock DLP

Wed, 03 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Acronis
Acronis acronis Devicelock Dlp
Vendors & Products Acronis
Acronis acronis Devicelock Dlp

Wed, 03 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Local privilege escalation due to excessive permissions assigned to child processes. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.
Weaknesses CWE-250
References
Metrics cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Acronis Acronis Devicelock Dlp
cve-icon MITRE

Status: PUBLISHED

Assigner: Acronis

Published:

Updated: 2026-06-03T19:26:17.368Z

Reserved: 2026-04-27T10:37:25.497Z

Link: CVE-2026-42061

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-03T20:16:20.497

Modified: 2026-06-03T20:16:20.497

Link: CVE-2026-42061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T22:00:15Z

Weaknesses