CVE-2025-67794 is a security vulnerability identified in multiple versions of DriveLock, a security software product used for endpoint protection and data loss prevention. The issue arises because the DriveLock agent creates certain directories and files with overly permissive access control lists (ACLs). These ACLs allow local users who do not have administrator rights to access, modify, or otherwise interact with these files and directories. This improper permission setting can be exploited by a local non-privileged user to trigger unintended actions within the DriveLock agent or destabilize its operation. Potential exploitation scenarios include causing the agent to malfunction, crash, or behave unpredictably, which could degrade endpoint security posture or lead to denial of service conditions. The vulnerability affects DriveLock versions 24.1 through 24.1.*, 24.2 before 24.2.8, and 25.1 before 25.1.6. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability does not require elevated privileges beyond local user access, nor does it require user interaction beyond local system access. This makes it a concern in environments where multiple users share systems or where local user accounts have limited but non-negligible access. The root cause is the misconfiguration of ACLs on agent-created files and directories, which should ideally restrict access to only trusted system or administrator accounts. Remediation will likely involve patching the affected DriveLock versions to correct ACL settings and prevent unauthorized local user interactions with agent files.

For European organizations, the impact of CVE-2025-67794 can be significant, especially in environments where endpoint security is critical, such as financial institutions, government agencies, and critical infrastructure sectors. The vulnerability allows local non-administrative users to interfere with the DriveLock agent, potentially leading to denial of service or reduced effectiveness of endpoint protection. This could result in increased risk of malware infections, data leakage, or unauthorized system changes if the agent is destabilized or disabled. Organizations with shared workstations or multi-user environments are particularly vulnerable, as any local user could exploit this flaw without needing elevated privileges. The impact on confidentiality, integrity, and availability is primarily through the availability and integrity of the security agent itself. While remote exploitation is not indicated, insider threats or compromised local accounts could leverage this vulnerability. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once patches are released. European organizations relying on DriveLock for compliance with data protection regulations (e.g., GDPR) must address this vulnerability promptly to avoid regulatory and reputational consequences.

1. Apply patches or updates from DriveLock as soon as they become available that address the ACL misconfiguration issue. 2. In the interim, review and manually tighten ACLs on directories and files created by the DriveLock agent to restrict access to administrators and trusted system accounts only. 3. Implement strict local user account management policies to minimize the number of users with local access and enforce least privilege principles. 4. Monitor endpoint logs and DriveLock agent behavior for signs of instability, crashes, or unauthorized file modifications. 5. Use endpoint detection and response (EDR) tools to detect anomalous local user activities that could indicate exploitation attempts. 6. Educate IT staff and users about the risks of local privilege misuse and encourage reporting of unusual system behavior. 7. Consider network segmentation and access controls to limit local user access to critical systems where DriveLock is deployed. 8. Conduct regular security audits and vulnerability assessments focusing on endpoint security configurations and permissions.