Symantec DLP Agent Vulnerability Let Attackers Escalate Privileges

Home Cyber Security News Symantec DLP Agent Vulnerability Let Attackers Escalate Privileges A high-severity security flaw has been identified in the Symantec Data Loss Prevention (DLP) Agent for Windows. Tracked as CVE-2026-3991, this vulnerability allows a low-privileged local attacker to escalate their system privileges to the highest level. Security researcher Manuel Feifel discovered the flaw, and Broadcom has recently released patches to address the issue. The vulnerability carries a CVSS score of 7.8. It requires no special configuration to exploit, meaning agents running with default settings are fully exposed. Symantec DLP Agent Vulnerability The core issue originates from how the OpenSSL library was compiled and integrated into the Symantec DLP Agent. The library was built with a hardcoded configuration path pointing to a specific development directory that does not exist on standard Windows installations. Because Windows often grants authenticated users the default permission to create missing folders at the root directory level, any low-privileged user can recreate this development path. The vulnerable process  edpa.exe runs with SYSTEM privileges. When this process starts, it searches for its OpenSSL configuration file (openssl.cnf) at a hardcoded, attacker-controlled location. To successfully exploit CVE-2026-3991, a threat actor with basic local access must follow a straightforward attack path. The attacker creates the missing directory structure at C:\VontuDev\workDir\openssl\output\x64\Release\SSL\. They place a malicious OpenSSL.cnf file and a payload DLL into this newly created folder. The crafted configuration file uses the standard OpenSSL directive  dynamic_path to point directly to the attacker’s DLL. When the Symantec DLP Agent service restarts or triggers an OpenSSL initialization, it reads the malicious configuration file. The system loads the attacker’s DLL as a dynamic engine and executes it immediately with SYSTEM privileges. Because the malicious code executes directly within the trusted DLP agent process, the attack is particularly dangerous to enterprise networks. Threat actors can leverage this technique to bypass endpoint security protections and evade system telemetry completely. Furthermore, attackers can use this compromised process to maintain deep, persistent access on the host machine while appearing entirely legitimate to security monitoring tools. Affected and Patched Versions Broadcom was first notified of the issue in November 2025 and released an official security advisory and fixes on March 30, 2026. Organizations relying on Symantec DLP should immediately update their Windows endpoint agents to mitigate this threat. The vulnerability affects Symantec DLP Agents before versions 16.1 MP2 or 25.1 MP1. System administrators are strongly advised to upgrade to the following fixed versions of Data Loss Prevention (DLP): DLP 25.1 MP1, DLP 16.1 MP2, DLP 16.0 RU2 HF9, DLP 16.0 RU1 MP1 HF12, and DLP 16.0 MP2 HF15, as highlighted in the Infoguard Labs advisory. Administrators should prioritize these patches, especially in environments where insider threats, local privilege escalation, or lateral movement are significant security concerns. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Starbucks Breach – Attacks Allegedly Claim 10GB of Stolen Source Code Cyber Security 10 Best VPN For Privacy In 2026 Cyber Security Top 20 Best Digital Forensic Tools in 2026 Top 10 10 Best VPN For Privacy In 2026 April 2, 2026 Top 20 Best Digital Forensic Tools in 2026 April 2, 2026 12 Best AWS Monitoring Tools in 2026 March 30, 2026 10 Best Spam Filter Tools 2026 March 30, 2026 10 Best Log Monitoring Tools in 2026 March 30, 2026