CVE-2025-67791
Agent Authentication Bypass in DriveLock Enables Network Impersonation
Publication date: 2025-12-17
Last updated on: 2025-12-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| drivelock | drivelock | From 24.1 (inc) to 24.1.4 (inc) |
| drivelock | drivelock | From 24.2 (inc) to 24.2.8 (inc) |
| drivelock | drivelock | From 25.1 (inc) to 25.1.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in DriveLock versions 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 through 25.1.*. It is caused by an incomplete configuration related to agent authentication in the DriveLock tenant, which allows attackers to impersonate any DriveLock agent on the network when interacting with the DriveLock Enterprise Service (DES).
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can impersonate any DriveLock agent on the network against the DriveLock Enterprise Service. This could lead to unauthorized access, manipulation, or disruption of the DriveLock service and potentially compromise the security of the network environment where DriveLock is deployed.