CRITICAL🇵🇱 Wersja polska

CVE-2025-67791

CVSS 9.8v3.1pub. 2025-12-17upd. 2025-12-18

An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 through 25.1.*. An incomplete configuration (agent authentication) in DriveLock tenant allows attackers to impersonate any DriveLock agent on the network against the DES (DriveLock Enterprise Service).

🤖 AI Analysis
How it works

In DriveLock versions 24.1.*, 24.2.* and 25.1.*, the configuration of agent authentication within a DriveLock tenant is incomplete (CWE-287 — improper authentication). This results in the lack of effective verification of the identity of agents communicating with the DriveLock Enterprise Service (DES). A network attacker, without possessing any credentials, can send requests to DES with spoofed identity of any legitimate DriveLock agent.

Impact

An attacker can fully impersonate an authorized DriveLock agent and consequently gain unauthorized access to data, introduce unauthorized changes to the configuration of managed endpoints, or disrupt the operation of the DES service, which corresponds to a high impact on confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the vendor according to the references (DriveLock security bulletin 25-006 available at the address indicated in the references). It is also recommended to verify and supplement the agent authentication configuration in DriveLock tenants according to the vendor's guidelines.

Who is affected

DriveLock in versions 24.1 to 24.1.*, 24.2 to 24.2.* and 25.1 to 25.1.*

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Drivelock

    APP
    Drivelock
    24.1 – 24.1.424.2 – 24.2.825.1 – 25.1.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-67781CRITICAL9.9PL ✓ten sam produkt

DriveLock — eskalacja uprawnień przez manipulację procesami uprzywilejowanymi

CVE-2025-67787CRITICAL9.6PL ✓ten sam produkt

XSS w DriveLock Operations Center umożliwiający przejęcie sesji

CVE-2025-67793CRITICAL9.8PL ✓ten sam produkt

DriveLock — nieautoryzowana eskalacja uprawnień do roli Supervisor przez API

CVE-2025-55187CRITICAL9.9PL ✓ten sam produkt

DriveLock — privilege escalation umożliwiające przejęcie kontroli nad systemem

CVE-2025-67790HIGH7.5ten sam produkt

An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. An unpriv...