Symantec DLP Agent Vulnerability Let Attackers Escalate Privileges
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A high-severity security flaw has been identified in the Symantec Data Loss Prevention (DLP) Agent for Windows<\/a>.<\/p>\n Tracked as CVE-2026-3991, this vulnerability allows a low-privileged local attacker to escalate their system privileges to the highest level.<\/p>\n Security researcher Manuel Feifel discovered the flaw, and Broadcom has recently released patches<\/a> to address the issue.<\/p>\n The vulnerability carries a CVSS score of 7.8. It requires no special configuration to exploit, meaning agents running with default settings are fully exposed.<\/p>\n The core issue originates from how the OpenSSL library was compiled and integrated into the Symantec DLP Agent.<\/p>\n The library was built with a hardcoded configuration path pointing to a specific development directory that does not exist on standard Windows installations.<\/p>\n Because Windows often grants authenticated users the default permission to create missing folders at the root directory level, any low-privileged user can recreate this development path. The vulnerable process \u00a0edpa.exe runs with SYSTEM privileges<\/a>.<\/p>\n When this process starts, it searches for its OpenSSL configuration file <\/a>(openssl.cnf) at a hardcoded, attacker-controlled location.<\/p>\n To successfully exploit CVE-2026-3991, a threat actor with basic local access must follow a straightforward attack path.<\/p>\n Because the malicious code executes directly within the trusted DLP agent process, the attack is particularly dangerous to enterprise networks.<\/p>\n Threat actors can leverage this technique to bypass endpoint security protections<\/a> and evade system telemetry completely.<\/p>\n Furthermore, attackers can use this compromised process to maintain deep, persistent access on the host machine while appearing entirely legitimate to security monitoring tools.<\/p>\n Broadcom was first notified of the issue in November 2025 and released an official security advisory and fixes on March 30, 2026.<\/p>\n Organizations relying on Symantec DLP should immediately update their Windows endpoint agents<\/a> to mitigate this threat.<\/p>\n The vulnerability affects Symantec DLP Agents before versions 16.1 MP2 or 25.1 MP1.<\/p>\n System administrators are strongly advised to upgrade to the following fixed versions of Data Loss Prevention (DLP): DLP 25.1 MP1, DLP 16.1 MP2, DLP 16.0 RU2 HF9, DLP 16.0 RU1 MP1 HF12, and DLP 16.0 MP2 HF15, as highlighted in the Infoguard Labs advisory<\/a>.<\/p>\n Administrators should prioritize these patches, especially in environments where insider threats, local privilege escalation, or lateral movement are significant security concerns.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Symantec DLP Agent Vulnerability Let Attackers Escalate Privileges<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nSymantec DLP Agent Vulnerability<\/strong><\/h2>\n
\n
Affected and Patched Versions<\/strong><\/h2>\n