CVE-2025-67794
📋 TL;DR
DriveLock agent versions 24.1-24.2.7 and 25.1-25.1.5 create directories and files with overly permissive access control lists (ACLs). This allows local non-administrator users to trigger unauthorized actions or destabilize the agent, potentially disrupting endpoint security controls.
💻 Affected Systems
- DriveLock
📦 What is this software?
Drivelock by Drivelock
Drivelock by Drivelock
Drivelock by Drivelock
⚠️ Risk & Real-World Impact
Worst Case
Local users could modify or delete critical DriveLock files, disable security policies, or crash the agent, leaving endpoints unprotected from security threats.
Likely Case
Non-admin users could interfere with DriveLock operations, cause service instability, or access sensitive configuration files they shouldn't have permissions to view.
If Mitigated
With proper access controls and monitoring, impact is limited to potential service disruption without data compromise or privilege escalation.
🎯 Exploit Status
Exploitation requires local access but no special privileges or complex techniques - just standard file system operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.2.8 or 25.1.6
Vendor Advisory: https://drivelock.help/sb/Content/SecurityBulletins/25-009-AgIncPermissions.htm
Restart Required: Yes
Instructions:
1. Download and install DriveLock version 24.2.8 (for 24.2 branch) or 25.1.6 (for 25.1 branch). 2. For 24.1 versions, upgrade to 24.2.8 or 25.1.6. 3. Restart affected systems to ensure new ACLs are applied.
🔧 Temporary Workarounds
Manual ACL Hardening
windowsManually adjust permissions on DriveLock directories to restrict non-admin access
icacls "C:\Program Files\DriveLock" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"
icacls "C:\ProgramData\DriveLock" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"
🧯 If You Can't Patch
- Implement strict access controls on DriveLock directories using group policy or manual ACL adjustments
- Monitor DriveLock directories for unauthorized access attempts using file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check DriveLock version via Control Panel > Programs and Features, or check registry: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Centennial\DriveLock\VersionCheck Version:
reg query "HKLM\SOFTWARE\WOW6432Node\Centennial\DriveLock" /v VersionVerify Fix Applied:
Verify version is 24.2.8 or higher (24.2 branch) or 25.1.6 or higher (25.1 branch), and check ACLs on DriveLock directories show restricted non-admin access📡 Detection & Monitoring
Log Indicators:
- Windows Security event logs showing unauthorized access attempts to DriveLock directories (Event ID 4663)
- DriveLock agent logs showing unexpected service restarts or failures
Network Indicators:
- None - this is a local file system vulnerability
SIEM Query:
EventID=4663 AND ObjectName:"*DriveLock*" AND AccessMask!=0x100000 AND SubjectUserName!="SYSTEM" AND SubjectUserName!="Administrator"