CVE-2026-5487: Unauthenticated Directory Traversal in DriveLock Exposes Sensitive Files
A critical directory traversal vulnerability in DriveLock's web service allows unauthenticated remote attackers to read arbitrary files, with a CVSS score of 7.5.
A critical directory traversal vulnerability has been disclosed in DriveLock, a widely used endpoint security and device control solution. Tracked as CVE-2026-5487 and published by the Zero Day Initiative (ZDI-26-284), the flaw allows unauthenticated remote attackers to read arbitrary files on affected systems. The vulnerability carries a CVSS score of 7.5, reflecting the high confidentiality impact and the ease of exploitation over the network without any authentication.
The specific flaw resides in DriveLock's web service, which listens on TCP port 4568 by default. The issue stems from improper validation of user-supplied paths before they are used in file operations. An attacker can craft a malicious request containing directory traversal sequences (e.g., `../`) to escape the intended web root and access sensitive files on the server. Because the service runs without requiring authentication, any remote attacker who can reach the port can exploit the vulnerability.
The impact of this vulnerability is significant. An attacker could read configuration files, credentials, encryption keys, or other sensitive data stored on the DriveLock server. In enterprise environments where DriveLock is deployed to enforce device control policies, the compromised server may also provide a foothold for lateral movement or further attacks. The disclosure timeline shows the vulnerability was reported to DriveLock on February 6, 2026, and the coordinated public release occurred on April 15, 2026.
DriveLock has released a security update to address the issue. The vendor's advisory is available at DriveLock Security Bulletin 26-003. Organizations using DriveLock should apply the update immediately to mitigate the risk. The vulnerability was discovered and reported by researcher stuxxn.
This disclosure highlights the ongoing challenge of path traversal vulnerabilities in enterprise software. Despite being a well-understood class of bugs, improper input validation continues to plague applications that handle file paths. The fact that this vulnerability requires no authentication and is exposed on a default port makes it particularly dangerous for internet-facing deployments.
Administrators should review their DriveLock configurations to ensure the web service is not exposed to untrusted networks unnecessarily. If remote access is required, network-level controls such as firewalls or VPNs should be employed to restrict access. The combination of a high CVSS score and the availability of a vendor patch makes this a high-priority update for all affected organizations.