Security Bulletin #25-008 - DriveLock Enterprise Service: Privilege escalation for DOC users
First published: 2025-11-12
Last updated: n/a
CVE: CVE-2025-XXXXX (requested) — official record will be available on MITRE once published.
CVSS Score: HIGH 8.5 – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H
Affected product(s): DriveLock SE — DriveLock Enterprise Service (DES) (see versions below)
Disclosure status: Coordinated
Vulnerability type / classification: Incorrect Access Control / Role Escalation
Attack type: Network
Attack vector: API Call
Summary
Privileged users can elevate their own roles or those of other users to Supervisor.
Description
Users with the “Manage roles and permissions” privilege can promote themselves or other DOC users to the Supervisor role through an API call. This privilege is included by default in the Administrator role. This issue mainly affects cloud multi-tenant deployments; on-prem single-tenant installations are typically not impacted because local admins usually already have Supervisor privileges.
Affected versions
-
DriveLock 24.1 on-premises — vulnerable
-
DriveLock 24.2 on-premises — vulnerable
-
DriveLock 25.1 (cloud & on-premises) — vulnerable (fixed in 25.1.6)
-
Fixed in Cloud: 25.1.5 + Updates
-
Fixed on-prem: 25.1.6 (Patch 4)
-
References
CVE-2025-XXX (requested) — official record will be available on MITRE once published.
Mitigation
Cloud update is already done. Apply on-premises 25.1.6 Patch 4 immediately.
Temporary: restrict DOC admin accounts to trusted staff; enable/monitor audit logging for role changes.
Fixed in
-
DriveLock 25.1.6 (on-premises). Cloud is already up to date.
How to update your environment
To ensure continued protection, an update to 25.1.6 is required.
Additionally, regardless of this specific issue, we always recommend using the latest release of DriveLock to benefit from ongoing improvements and security enhancements.
A CVE has been requested and is currently under review by an official CNA authority. We will inform you once it is published.