Security Bulletin #26-003 - DriveLock Enterprise Service (DES): Improper User Path Validation (Directory Traversal) (ZDI-CAN-28713 / ZDI-CAN-28722 / ZDI-CAN-28746)

First published: 2026-02-06

Last updated: 2026-02-17

CVE: CVE-2026-XXXX (not yet published)

EUVD: EUVD-XXXX (not yet published)

CVSS Score: HIGH 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected product(s): DriveLock SE — DriveLock Enterprise Service (DES)

Disclosure status: Coordinated

Vulnerability type / classification: Directory Traversal (Information Disclosure)

Attack type: Remote

Attack vector: Network (manipulated file path)

Summary

An improper user path validation vulnerability in the DriveLock Enterprise Service (DES) allows remote attackers to access arbitrary files outside of the intended directory structure, potentially leading to information disclosure.

Description

A directory traversal vulnerability in DES allows an attacker to access files outside of the intended directory. The issue results from insufficient validation of user-supplied file paths.

By providing a crafted file path containing directory traversal sequences such as "..", an attacker may bypass access controls and retrieve sensitive files from the server file system.

Affected versions

DriveLock <= 24.2.8 — vulnerable (fixed in 24.2.9)
DriveLock <= 25.1.6 — vulnerable (fixed in 25.1.7)
DriveLock <= 25.2.3 — vulnerable (fixed in 25.2.4)

Mitigation

Update to the patched versions immediately.

Fixed in

DriveLock 24.2.9
DriveLock 25.1.7
DriveLock 25.2.4

References

CVE-2026-XXXX (not yet published)
ZDI-CAN-28713
ZDI-CAN-28722
ZDI-CAN-28746

Credits

This vulnerability was discovered by stuxxn working with TrendAI Zero Day Initiative.

How to update your environment

To ensure continued protection, update to one of the fixed versions listed above.

Additionally, we always recommend using the latest available DriveLock release to benefit from ongoing improvements and security enhancements.