CVE-2026-25852 Acronis CVE debrief

Who should care

Organizations running Acronis DeviceLock DLP on Windows endpoints, particularly those with multi-user environments where low-privilege users have write access to application directories or system paths. Security teams responsible for endpoint protection and data loss prevention infrastructure should prioritize patching.

Technical summary

The vulnerability stems from improper handling of DLL search paths (CWE-427), allowing an attacker to place a malicious DLL in a directory that the DeviceLock DLP application searches before the legitimate DLL location. When the application loads, it executes the attacker's code with elevated privileges. The attack requires local access, existing low-level privileges, and user interaction to trigger the vulnerable code path. The high attack complexity reflects the need for precise timing and conditions to successfully hijack the DLL load.

Defensive priority

medium

Recommended defensive actions

• Upgrade Acronis DeviceLock DLP to build 9.0.93212 or later
• Review Acronis security advisory SEC-7217 for detailed remediation guidance
• Implement application whitelisting and DLL loading restrictions as defense-in-depth
• Monitor for unauthorized DLL placement in application directories
• Validate DLL signatures and enforce Safe DLL Search Mode on affected systems

Evidence notes

Primary source: Acronis security advisory SEC-7217. CVSS 3.0 vector: AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H. CWE-427 (Uncontrolled Search Path Element) identified as root cause. Affected product: Acronis DeviceLock DLP (Windows) before build 9.0.93212.

Official resources