How is CVE-2026-50033 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required. Authentication (required): Any low-privilege local account is sufficient; the attacker does not need administrative credentials to stage the attack. Victim interaction (required): A legitimate user on the machine must trigger the vulnerable DLL load path, for example by launching the affected application, making this a social-engineering-dependent attack. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental pre-conditions beyond placing the malicious DLL in the search path.

What is the impact of CVE-2026-50033?

Reads sensitive files, stored credentials, and protected data managed by DeviceLock DLP on the host. Modifies or deletes system files, configuration, and policy data, including DeviceLock DLP policy enforcements. Crashes or disables the DeviceLock DLP service and other host processes, removing data-loss-prevention controls entirely. Executes arbitrary code at elevated privilege, enabling persistent backdoors or lateral movement within the host environment.

Back to search

HIGHCVE-2026-50033Published 2026-06-03Modified 2026-06-03CNA Acronis

CVE-2026-50033: Local privilege escalation due to DLL hijacking vulnerability

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227.

CVSS v3.0: 7.3
Severity: HIGH
Fixed in: 9.0.15051.93227
Affected Products: 1

HarborGuard Analysis

Synopsis

A DLL hijacking vulnerability in Acronis DeviceLock DLP for Windows allows a local attacker to escalate privileges on the affected host. The attacker must already have a low-privilege account on the machine and must trick another user into triggering the vulnerable load path, after which the planted DLL runs with elevated privileges. Successful exploitation gives the attacker full read, write, and availability control over the system. A patched-image rebuild at build 9.0.15051.93227 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-50033 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built Windows-based container images that bundle Acronis DeviceLock DLP. Coverage extends to both registry scans and active pipeline checks so affected images are flagged before deployment.

Available

Triage

Triage is available with the CVSS v3.0 score of 7.3 (HIGH) applied automatically, weighted further by each customer organization's compliance policy to prioritize or suppress the finding as appropriate. Routing to the correct team inbox within each customer org is handled according to that org's configured escalation rules.

Available

Patch

A patched-image rebuild pinned to Acronis DeviceLock DLP build 9.0.15051.93227 becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, the workflow includes the rebuild, a regression-test run, and a pull request opened against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative credentials to stage the attack.
Victim interactionRequired
A legitimate user on the machine must trigger the vulnerable DLL load path, for example by launching the affected application, making this a social-engineering-dependent attack.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental pre-conditions beyond placing the malicious DLL in the search path.

Blast Radius

Reads sensitive files, stored credentials, and protected data managed by DeviceLock DLP on the host.
Modifies or deletes system files, configuration, and policy data, including DeviceLock DLP policy enforcements.
Crashes or disables the DeviceLock DLP service and other host processes, removing data-loss-prevention controls entirely.
Executes arbitrary code at elevated privilege, enabling persistent backdoors or lateral movement within the host environment.

How HarborGuard Handles This

Available on HarborGuard: once the upstream build 9.0.15051.93227 is confirmed in the advisory feed, a patched-image rebuild becomes available for any customer image that packages Acronis DeviceLock DLP on Windows. Where compliance policy permits auto-remediation, the pipeline automatically produces the rebuilt image, runs a regression test suite against it, and opens a pull request against affected workloads. For environments where auto-remediation is not enabled, the finding is surfaced in the triage queue scored at 7.3 HIGH so teams can act manually. Because a fix version exists, customers are encouraged to prioritize this rebuild given that the exploit requires only a low-privilege account and victim interaction is a relatively low bar in shared-workstation or terminal-server environments. HarborGuard re-checks the advisory on every ingest cycle to ensure rebuild availability stays current with any upstream revisions to the fix.

See how HarborGuard automates this

Fix available

9.0.15051.93227

Affected packages

Acronis / Acronis DeviceLock DLP
< 9.0.15051.93227 (from unspecified)

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

SEC-3085

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available