Security Bulletin #26-001 - DriveLock Enterprise Service (DES): Forwarding of Anonymous Requests to Internal Endpoints (ZDI-CAN-28719)

First published: 2026-02-06

Last updated: 2026-02-17

CVE: CVE-2026-XXXX (not yet published)

EUVD: EUVD-XXXX (not yet published)

CVSS Score: MEDIUM 5.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected product(s): DriveLock SE — DriveLock Enterprise Service (DES)

Disclosure status: Coordinated

Vulnerability type / classification: Incorrect Access Control (Information Disclosure)

Attack type: Remote

Attack vector: Network (URL manipulation)

Summary

A misconfigured reverse proxy in the DriveLock Enterprise Service (DES) may allow unauthorized forwarding of anonymous requests to internal endpoints. This could lead to information disclosure affecting configuration data.

Description

A misconfigured reverse proxy in the server's web API allows unauthorized public read access to global and tenant configuration that should only be accessible within the internal network. Access controls can be bypassed through URL manipulation techniques.

By leveraging URL encoding, an attacker can obfuscate the ".." sequence (path traversal marker), potentially bypassing security controls and exposing internal services to unauthorized access.

Affected versions

DriveLock <= 24.2.8 — vulnerable (fixed in 24.2.9)
DriveLock <= 25.1.6 — vulnerable (fixed in 25.1.7)
DriveLock <= 25.2.3 — vulnerable (fixed in 25.2.4)

Mitigation

Update to the patched versions immediately.

Fixed in

DriveLock 24.2.9
DriveLock 25.1.7
DriveLock 25.2.4

References

CVE-2026-XXXX (not yet published)
ZDI-CAN-28719

Credits

This vulnerability was discovered by stuxxn working with TrendAI Zero Day Initiative.

How to update your environment

To ensure continued protection, update to one of the fixed versions listed above.

Additionally, we always recommend using the latest available DriveLock release to benefit from ongoing improvements and security enhancements.