ZDI 2026-04-15

ZDI-26-285: DriveLock Directory Traversal Information Disclosure Vulnerability

CVE-2026-5489

Machine-generated analysis · WAYSCloud LLM

The vulnerability permits unauthenticated remote attackers to disclose sensitive information via a directory traversal issue in DriveLock.

Context

The affected product is DriveLock, a software solution used for endpoint security and data protection. The vulnerability is a directory traversal flaw that enables information disclosure without requiring authentication. The advisory notes a CVSS score of 5.3, indicating a medium severity impact. Worth noting is that the attack can be remotely exploited without prior access.

Operator considerations

Check: Identify instances of DriveLock in use within the environment.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to disclose sensitive information on affected installations of DriveLock. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.3. The following CVEs are assigned: CVE-2026-5489.

Read the full advisory on ZDI →