High-Severity Symantec DLP Agent Flaw Grants SYSTEM Privileges to Attackers
A critical local privilege escalation (LPE) vulnerability in the Symantec Data Loss Prevention (DLP) Agent for Windows (CVE-2026-3991, CVSS 7.8) allows low-privileged attackers to gain full SYSTEM-level control of affected machines. Discovered by security researcher Manuel Feifel and reported to Broadcom in late 2025, the flaw stems from a hardcoded file path in the agent’s OpenSSL integration, enabling attackers to bypass security controls.
Exploitation Mechanism
The vulnerability arises from the edpa.exe process, which runs with SYSTEM privileges and attempts to load an OpenSSL configuration file from a non-existent directory: C:\VontuDev\workDir\openssl\output\x64\Release\SSL\openssl.cnf. Since the C:\VontuDev folder does not exist by default, attackers can create it and place a malicious OpenSSL configuration file and DLL in the path. When the DLP Agent restarts, it loads these files, executing the attacker’s code with SYSTEM rights effectively granting full control.
This technique is particularly stealthy, as the malicious payload runs within the trusted DLP agent process, evading endpoint security and monitoring tools.
Affected Versions & Patch Availability
The flaw impacts Symantec DLP Agent versions prior to 16.1 MP2 and 25.1 MP1. Broadcom released patches on March 30, 2026, with the following fixed versions:
- DLP 25.1 MP1
- DLP 16.1 MP2
- DLP 16.0 RU2 HF9
- DLP 16.0 RU1 MP1 HF12
- DLP 16.0 MP2 HF15
No additional configuration changes are required applying the update fully mitigates the vulnerability.
Impact & Risk
While exploitation requires an attacker to already have basic access to a target system, privilege escalation is a key tactic in ransomware and cyber espionage campaigns. The flaw’s ability to bypass security controls and persist undetected makes it a significant threat to organizations relying on Symantec DLP for data protection.
Source: https://gbhackers.com/symantec-dlp-agent-flaw/
Broadcom cybersecurity rating report: https://www.rankiteo.com/company/broadcom
"id": "BRO1775111316",
"linkid": "broadcom",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Organizations using Symantec '
'DLP Agent versions prior to '
'16.1 MP2 and 25.1 MP1',
'industry': 'Cybersecurity',
'name': 'Broadcom (Symantec)',
'type': 'Vendor'}],
'attack_vector': 'Local access with low privileges',
'customer_advisories': 'Organizations using vulnerable DLP Agent versions '
'should apply patches immediately to mitigate '
'privilege escalation risks.',
'date_detected': '2025',
'date_publicly_disclosed': '2026-03-30',
'date_resolved': '2026-03-30',
'description': 'A critical local privilege escalation (LPE) vulnerability in '
'the Symantec Data Loss Prevention (DLP) Agent for Windows '
'(CVE-2026-3991, CVSS 7.8) allows low-privileged attackers to '
'gain full SYSTEM-level control of affected machines. The flaw '
'stems from a hardcoded file path in the agent’s OpenSSL '
'integration, enabling attackers to bypass security controls '
'by placing malicious files in a non-existent directory.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'security flaw in data protection '
'software',
'operational_impact': 'Full SYSTEM-level control of affected '
'machines, potential for ransomware or cyber '
'espionage',
'systems_affected': 'Windows machines running vulnerable Symantec '
'DLP Agent versions'},
'investigation_status': 'Resolved',
'lessons_learned': 'Hardcoded file paths in privileged processes pose '
'significant security risks. Regular security audits and '
'testing for such vulnerabilities are critical.',
'post_incident_analysis': {'corrective_actions': 'Removed hardcoded file path '
'dependency and implemented '
'secure file loading '
'mechanisms in patched '
'versions.',
'root_causes': 'Hardcoded file path in Symantec '
"DLP Agent's OpenSSL integration, "
'allowing arbitrary file loading '
'with SYSTEM privileges.'},
'recommendations': '1. Apply the latest security patches for Symantec DLP '
'Agent immediately. 2. Monitor for unusual activity in DLP '
'agent processes. 3. Restrict write permissions to '
'critical system directories.',
'references': [{'source': 'Security Researcher Manuel Feifel'}],
'response': {'containment_measures': 'Patch deployment (DLP 25.1 MP1, 16.1 '
'MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, '
'16.0 MP2 HF15)',
'remediation_measures': 'Apply security patches to vulnerable '
'DLP Agent versions'},
'stakeholder_advisories': 'Broadcom released patches and advised customers to '
'update to fixed versions.',
'title': 'High-Severity Symantec DLP Agent Flaw Grants SYSTEM Privileges to '
'Attackers',
'type': 'Local Privilege Escalation (LPE)',
'vulnerability_exploited': 'Hardcoded file path in OpenSSL integration '
'(CVE-2026-3991)'}