---

Security Bulletin #25-006 — DES: Misconfiguration leading to Arbitrary Agent Impersonation (CVE request)

---

---

First published: 2025-09-25

Last updated: 2025-09-29

CVE: CVE-2025-XXXXX (requested) — official record will be available on MITRE once published.

CVSS Score: MEDIUM 5.3 – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Affected product(s): DriveLock SE — DriveLock Enterprise Service (DES) (see versions below)

Disclosure status: Coordinated

Vulnerability type / classification: Misconfiguration (Agent Authentication)

Attack type: Remote

Attack vector: Network

---

Summary

Due to incomplete agent configuration in the DOC, attackers can impersonate DriveLock Agents against the DriveLock Enterprise Service (DES) and upload files into arbitrary tenants via the trace file functionality.

Description

If not configured properly in the DriveLock Operations Center (DOC), a configuration weakness exists in regard to the agent authentication process. This misconfiguration allows somebody to impersonate DriveLock agents against the DES by exploiting the trace file functionality.

Mitigation

Correct agent authentication configuration (DOC Config Installation Checkboxes).

Fixed in

• n/a

References

• CVE-2025-XXXXX (requested) — official record will be available on MITRE once published.

How to update your environment

n/a

Additionally, regardless of this specific issue, we always recommend using the latest release of DriveLock to benefit from ongoing improvements and security enhancements.

A CVE has been requested and is currently under review by an official CNA authority. We will inform you once it is published.

---