CVE-2026-44682: Local privilege escalation due to DLL hijacking vulnerability
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.
Metrics
- CVSS v3.0
- 7.3
- Severity
- HIGH
- Fixed in
- 9.0.15051.93227
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A DLL hijacking vulnerability in Acronis DeviceLock DLP for Windows allows a local attacker to escalate privileges on the affected host. The attacker needs an existing account on the system and must convince another user to trigger the vulnerable code path; no network access is required. Successful exploitation gives the attacker full control over the host, including the ability to read sensitive data, modify files, and crash or disrupt running services. A patched-image rebuild at version 9.0.15051.93227 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-44682 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built Windows-based images that bundle Acronis DeviceLock DLP. Coverage extends to images in both connected registries and active CI/CD pipelines.
AvailableTriage is available using the CVSS v3.0 score of 7.3 (HIGH), weighted against each customer organization's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within the customer org based on configured ownership rules.
AvailableA patched-image rebuild pinned to Acronis DeviceLock DLP version 9.0.15051.93227 is available on HarborGuard for any environment running an affected build. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required.
- AuthenticationRequired
Any low-privilege local account is sufficient to attempt exploitation.
- Victim interactionRequired
A local user must be socially engineered or otherwise induced to trigger the vulnerable DLL load path.
- Attack complexityDetail
The exploit is reliable and condition-free once the attacker controls the DLL search path; no race conditions or special environmental factors are required.
Blast Radius
- A successful attacker reads protected files and sensitive data stored on the host, including credentials and policy configurations managed by DeviceLock DLP.
- The attacker can modify or overwrite persisted files, registry entries, and security policy data on the compromised system.
- The attacker gains the ability to crash or disable running services, including the DeviceLock DLP agent itself.
- Privilege escalation to a higher-privileged context (such as SYSTEM) gives full administrative control over the affected Windows host.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-44682 is active for all scanned images the moment the advisory is ingested. For environments running Acronis DeviceLock DLP builds earlier than 9.0.15051.93227, a patched-image rebuild is available immediately. Where compliance policy permits auto-remediation, HarborGuard rebuilds the affected image at the fixed version, executes a regression test run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced with severity 7.3 HIGH and routed according to the team's configured ownership rules so engineers can apply the fix manually.
Fix available
- Acronis / Acronis DeviceLock DLP< 9.0.15051.93227 (from unspecified)
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H