Critical Vulnerability in Symantec DLP Agent Allows Privilege Escalation
A significant security vulnerability has been identified in the Symantec Data Loss Prevention (DLP) Agent for Windows, designated as CVE-2026-3991. This flaw enables local attackers with minimal privileges to escalate their access rights to the highest system level, posing a substantial risk to affected systems.
Discovery and Impact
Security researcher Manuel Feifel uncovered this vulnerability, which has been assigned a CVSS score of 7.8, indicating high severity. The flaw does not require any special configuration to exploit; agents operating with default settings are fully susceptible. This means that any system running the vulnerable version of the DLP Agent is at risk without additional user interaction.
Technical Details
The root cause of the vulnerability lies in the integration of the OpenSSL library within the Symantec DLP Agent. The library was compiled with a hardcoded configuration path pointing to a specific development directory that does not exist on standard Windows installations. Windows systems often grant authenticated users the default permission to create missing folders at the root directory level. Consequently, a low-privileged user can recreate this development path.
The vulnerable process, edpa.exe, runs with SYSTEM privileges. Upon startup, it searches for its OpenSSL configuration file (openssl.cnf) at the hardcoded, attacker-controlled location.
Exploitation Process
To exploit CVE-2026-3991, an attacker with basic local access can follow these steps:
1. Create the missing directory structure at `C:\VontuDev\workDir\openssl\output\x64\Release\SSL\`.
2. Place a malicious `openssl.cnf` file and a payload DLL into this newly created folder.
3. Craft the configuration file to use the OpenSSL directive `dynamic_path` to point directly to the attacker’s DLL.
4. When the Symantec DLP Agent service restarts or triggers an OpenSSL initialization, it reads the malicious configuration file.
5. The system loads the attacker’s DLL as a dynamic engine and executes it immediately with SYSTEM privileges.
This method allows the attacker to execute arbitrary code with the highest system privileges, effectively taking full control of the affected system.
Potential Consequences
The exploitation of this vulnerability is particularly dangerous for enterprise networks. By executing malicious code within the trusted DLP agent process, attackers can bypass endpoint security protections and evade system telemetry. This compromised process can be used to maintain persistent access on the host machine while appearing legitimate to security monitoring tools.
Affected Versions and Patches
Broadcom was first notified of the issue in November 2025 and released an official security advisory and fixes on March 30, 2026. The vulnerability affects Symantec DLP Agents before versions 16.1 MP2 or 25.1 MP1.
System administrators are strongly advised to upgrade to the following fixed versions of Data Loss Prevention (DLP):
– DLP 25.1 MP1
– DLP 16.1 MP2
– DLP 16.0 RU2 HF9
– DLP 16.0 RU1 MP1 HF12
– DLP 16.0 MP2 HF15
Administrators should prioritize these patches, especially in environments where insider threats, local privilege escalation, or lateral movement are significant security concerns.
Mitigation Steps
In addition to applying the patches, organizations should consider the following mitigation steps:
– Restrict Directory Creation Permissions: Limit the ability of low-privileged users to create directories in critical system paths.
– Monitor for Unauthorized Directories: Implement monitoring to detect the creation of unexpected directories that could be used in exploitation attempts.
– Review OpenSSL Configurations: Ensure that OpenSSL configurations do not point to insecure or non-existent paths that could be exploited.
Conclusion
The discovery of CVE-2026-3991 underscores the importance of rigorous security practices in software development and deployment. Organizations using Symantec DLP Agents should act swiftly to apply the necessary patches and review their security configurations to prevent potential exploitation.
