A high-severity vulnerability in the Symantec Data Loss Prevention (DLP) Agent for Windows could allow low-privileged attackers to take complete control of affected machines.
Tracked as CVE-2026-3991, this Local Privilege Escalation (LPE) flaw carries a CVSS score of 7.8. It exposes systems to deep compromise by letting attackers elevate their basic system access to full SYSTEM privileges.
Security researcher Manuel Feifel discovered the issue and reported it to Broadcom in late 2025.
While this flaw requires a threat actor to already have a basic foothold on the target computer, privilege escalation is a critical stepping stone in modern ransomware and cyber espionage campaigns.
The Hardcoded Oversight
The vulnerability originates from how the OpenSSL library was compiled and integrated into the Symantec DLP Agent software.
Developers accidentally left a hardcoded file path pointing to an internal build directory. This specific directory does not exist on a normal, standard Windows installation.
The Symantec DLP Agent relies on a core background process known as edpa.exe, which operates with the highest possible system permissions.
Whenever this process starts, it attempts to load an OpenSSL configuration file from a non-existent path: C:VontuDevworkDiropenssloutputx64ReleaseSSLopenssl.cnf.
Because the root C:VontuDev folder is missing by default, Windows settings often allow any standard, authenticated user to create it from scratch.
To exploit this weakness, a low-level attacker simply builds the missing directory structure on the main drive.
Next, they drop a custom openssl.cnf configuration file and a malicious dynamic-link library (DLL) into the new folder.
When the Symantec DLP Agent restarts or initializes its OpenSSL components, it checks this path and blindly trusts the files inside.
The agent reads the attacker’s configuration file, which uses a specific directive to load the malicious DLL.
Because the edpa.exe process runs with SYSTEM rights, the injected code also executes with SYSTEM rights, granting the attacker total system control.
This technique is highly evasive. Because the malicious code runs directly inside the trusted DLP agent process, attackers can easily bypass endpoint security protections, evade telemetry monitoring, and hide their persistent access.
Broadcom officially released a security advisory and patches for the vulnerability on March 30, 2026. The flaw affects Symantec DLP Agent versions prior to 16.1 MP2 and 25.1 MP1.
Organizations must update their systems to secure their network environments. Administrators should immediately upgrade to one of the following patched versions:
- DLP 25.1 MP1
- DLP 16.1 MP2
- DLP 16.0 RU2 HF9
- DLP 16.0 RU1 MP1 HF12
- DLP 16.0 MP2 HF15
No complex configuration changes are required to fix the issue. Applying the official vendor update fully resolves the hardcoded path vulnerability and secures the agent.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
