How is CVE-2026-42061 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required. Authentication (required): Any low-privilege local account is sufficient; no administrator or elevated credentials are needed to begin the attack. Victim interaction (required): A local user must perform some action (such as opening a file or triggering a process) to complete the exploit chain. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-42061?

The attacker reads sensitive files and data accessible to elevated processes, including credentials and configuration stores. The attacker modifies system files, registry entries, or application data that the escalated process has write access to. The attacker disrupts or terminates processes and services running under higher-privilege contexts, causing service outages on the affected host. Full compromise of the local Windows host is achievable, as the combination of high confidentiality, integrity, and availability impact leaves no aspect of the system protected.

Back to search

HIGHCVE-2026-42061Published 2026-06-03Modified 2026-06-03CNA Acronis

CVE-2026-42061: Local privilege escalation due to excessive permissions assigned to child processes

Local privilege escalation due to excessive permissions assigned to child processes. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.

CVSS v3.0: 7.3
Severity: HIGH
Fixed in: 9.0.15051.93227
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a local privilege escalation vulnerability in Acronis DeviceLock DLP for Windows. An attacker with a low-privilege local account can exploit excessively permissive child process configurations to gain elevated system rights, but requires victim interaction to trigger the exploit path. Successful exploitation gives the attacker full read, write, and availability control over affected resources. A patched-image rebuild at version 9.0.15051.93227 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-42061 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Windows-based container images carrying the affected Acronis DeviceLock DLP build. Coverage applies to both registry scans and inline pipeline checks.

Available

Triage

HarborGuard scores this CVE at 7.3 HIGH using the CVSS v3.0 vector and can weight that score against each customer organization's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

A patched-image rebuild at Acronis DeviceLock DLP version 9.0.15051.93227 is available for any scanned image found to carry an affected build. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required.
AuthenticationRequired
Any low-privilege local account is sufficient; no administrator or elevated credentials are needed to begin the attack.
Victim interactionRequired
A local user must perform some action (such as opening a file or triggering a process) to complete the exploit chain.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

The attacker reads sensitive files and data accessible to elevated processes, including credentials and configuration stores.
The attacker modifies system files, registry entries, or application data that the escalated process has write access to.
The attacker disrupts or terminates processes and services running under higher-privilege contexts, causing service outages on the affected host.
Full compromise of the local Windows host is achievable, as the combination of high confidentiality, integrity, and availability impact leaves no aspect of the system protected.

How HarborGuard Handles This

Available on HarborGuard: detection and remediation support for CVE-2026-42061 are built into the standard scan pipeline. Any customer image carrying Acronis DeviceLock DLP below build 9.0.15051.93227 is flagged automatically within minutes of the CVE entering upstream feeds. For customers who opt into auto-remediation, HarborGuard makes a rebuilt image at the fixed version available, runs regression tests, and opens a PR against affected workloads; for HIGH-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the triage card and recommended fix version are routed to the designated owner inbox so the team can act without additional research.

See how HarborGuard automates this

Fix available

9.0.15051.93227

Affected packages

Acronis / Acronis DeviceLock DLP
< 9.0.15051.93227 (from unspecified)

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

SEC-3083

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available