CVE-2025-67792 is a local privilege escalation vulnerability affecting DriveLock security software versions before 24.1.6, 24.2.7, and 25.1.5 on Windows platforms. The flaw allows local users with limited privileges to manipulate a DriveLock process to execute arbitrary commands, effectively escalating their privileges and potentially gaining full control over the affected system. This vulnerability is classified under CWE-269, which relates to improper privilege management. The attack vector is local (AV:L), requiring the attacker to have some level of access to the system but no user interaction (UI:N) is needed to exploit it. The vulnerability has low attack complexity (AC:L) and requires low privileges (PR:L), making it easier to exploit once local access is obtained. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially compromised component, impacting confidentiality, integrity, and availability at a high level (C:H/I:H/A:H). Although no public exploits have been reported yet, the severity and nature of the vulnerability make it a critical concern for organizations relying on DriveLock for endpoint security. The vulnerability allows attackers to bypass security controls and execute arbitrary code, which could lead to data theft, system manipulation, or denial of service.

For European organizations, this vulnerability poses a significant risk as it can lead to full system compromise from a local user perspective. Organizations with DriveLock deployed on Windows endpoints, especially in sectors with sensitive data such as finance, healthcare, and government, could face data breaches, operational disruptions, and loss of trust. The ability for low-privileged users to escalate privileges undermines endpoint security and could facilitate lateral movement within networks. This risk is heightened in environments where endpoint devices are shared or where insider threats are a concern. The lack of required user interaction and the low complexity of exploitation increase the likelihood of successful attacks once local access is gained. The vulnerability could also be leveraged in multi-stage attacks to gain persistent access or deploy ransomware. Given DriveLock’s role in data protection and device control, exploitation could severely impact compliance with European data protection regulations such as GDPR.

European organizations should immediately verify their DriveLock versions and prioritize upgrading to versions 24.1.6, 24.2.7, or 25.1.5 or later where the vulnerability is patched. In the absence of immediate patching, organizations should enforce strict local user privilege management, restricting access to only trusted users and minimizing the number of users with local access rights. Implement application whitelisting and monitor for unusual process manipulations related to DriveLock. Employ endpoint detection and response (EDR) solutions to detect anomalous command executions and privilege escalations. Regularly audit local accounts and remove or disable unnecessary ones. Network segmentation can limit the impact of compromised endpoints. Additionally, educate users about the risks of local access exploitation and enforce strong physical security controls to prevent unauthorized local access to devices. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.