CVE-2025-67794 is a vulnerability identified in DriveLock endpoint security software versions 24.1 through 24.1.*, 24.2 before 24.2.8, and 25.1 before 25.1.6. The core issue is that the DriveLock agent creates directories and files with overly permissive Access Control Lists (ACLs), specifically granting local users without administrator privileges the ability to interact with these resources in unintended ways. This misconfiguration allows such users to trigger actions within the agent or destabilize its operation, potentially leading to privilege escalation, unauthorized access, or denial of service conditions. The vulnerability is classified under CWE-732, which relates to permissions issues that allow unauthorized users to perform privileged actions. The CVSS v3.1 score is 8.4, indicating high severity, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no exploits have been reported in the wild yet, the vulnerability's characteristics make it a significant risk, especially in environments where multiple users share endpoints or where local user accounts are common. The lack of patches at the time of reporting necessitates immediate attention to permissions and monitoring. The vulnerability could be exploited by local attackers to manipulate the agent’s behavior, potentially bypassing security controls or causing system instability.

For European organizations, the impact of CVE-2025-67794 can be substantial. DriveLock is widely used in enterprise environments for endpoint protection and data loss prevention, especially in sectors with stringent data security requirements such as finance, healthcare, and government. The vulnerability allows local non-administrator users to interfere with the security agent, potentially leading to unauthorized data access, modification, or disruption of security services. This could result in data breaches, compliance violations (e.g., GDPR), and operational downtime. Organizations with shared workstations or environments where users have local accounts but limited privileges are particularly vulnerable. The ability to destabilize or manipulate the agent could also facilitate further attacks, such as privilege escalation or lateral movement within networks. Given the high CVSS score and the critical nature of the impacted security controls, the threat poses a serious risk to confidentiality, integrity, and availability of sensitive information and systems across European enterprises.

To mitigate CVE-2025-67794, organizations should first verify the versions of DriveLock deployed and prioritize upgrading to versions 24.2.8 or later, or 25.1.6 or later once patches are released. In the absence of official patches, administrators should audit and tighten ACLs on directories and files created by the DriveLock agent to ensure that only authorized system accounts and administrators have access. Implementing strict file system permissions and using tools to monitor changes to these ACLs can help detect and prevent exploitation attempts. Additionally, restricting local user permissions and minimizing the number of users with local access can reduce the attack surface. Employing application whitelisting and endpoint detection and response (EDR) solutions can help identify anomalous behaviors related to the agent. Regularly reviewing security logs for signs of agent destabilization or unauthorized access attempts is also recommended. Finally, organizations should prepare incident response plans specific to endpoint security agent compromise scenarios.