An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 before 25.1.6. Users with the "Manage roles and permissions" privilege can promote themselves or other DOC users to the Supervisor role through an API call. This privilege is included by default in the Administrator role. This issue mainly affects cloud multi-tenant deployments; on-prem single-tenant installations are typically not impacted because local admins usually already have Supervisor privileges.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

No data.

No data.

No data.

No data.

References
Link Providers
https://drivelock.help/sb/Content/SecurityBulletins/25-008-DESPrivilegeEsc.htm cve-icon cve-icon
History

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 before 25.1.6. Users with the "Manage roles and permissions" privilege can promote themselves or other DOC users to the Supervisor role through an API call. This privilege is included by default in the Administrator role. This issue mainly affects cloud multi-tenant deployments; on-prem single-tenant installations are typically not impacted because local admins usually already have Supervisor privileges.
References
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2025-12-17T20:53:31.818Z

Reserved: 2025-12-12T00:00:00.000Z

Link: CVE-2025-67793

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2025-12-17T21:16:16.443

Modified: 2025-12-17T21:16:16.443

Link: CVE-2025-67793

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.