---

Security Bulletin #25-004 — DriveLock Enterprise Service: Information Disclosure (CVE request)

---

---

First published: 2025-09-25

Last updated: 2025-09-29

CVE: CVE-2025-XXXXX (requested) — official record will be available on MITRE once published.

CVSS Score: MEDIUM 5.3 – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected product(s): DriveLock SE — DriveLock Enterprise Service (DES) (see versions below)

Disclosure status: Coordinated

Vulnerability type / classification: Insecure Permission (Information Disclosure)

Attack type: Remote

Attack vector: API Call

---

Summary

In DriveLock versions 24.1.4, 24.2.5, and 25.1.2 (prior to 25.1.4), attackers could obtain the number of computers from other tenants. This issue primarily affects cloud customers.

Description

In DriveLock versions prior to 25.1.4, insufficient permission checks in the DriveLock Enterprise Service (DES) API could allow authenticated users to see the number of computers belonging to other tenants. This information disclosure primarily affects cloud users and was resolved in subsequent updates.

Affected versions

• DriveLock 24.1 — vulnerable

• DriveLock 24.2 — vulnerable

• DriveLock 25.1 — vulnerable (fixed in 25.1.5)

Mitigation

Update to the patched version immediately.

Fixed in

• DriveLock 25.1.5

References

• CVE-2025-XXXXX (requested) — official record will be available on MITRE once published.

How to update your environment

• To ensure continued protection, an update to 25.1.5 is required.

Additionally, regardless of this specific issue, we always recommend using the latest release of DriveLock to benefit from ongoing improvements and security enhancements.

A CVE has been requested and is currently under review by an official CNA authority. We will inform you once it is published.

---