Directory Traversal Information Disclosure in DriveLock (CVE‑2026‑5489) Exposes Sensitive Files
What It Is – DriveLock’s web service (default TCP 4568) suffers a directory‑traversal flaw that lets unauthenticated remote attackers read arbitrary files on the host. The issue stems from insufficient validation of user‑supplied paths before file‑system access.
Exploitability – The vulnerability is publicly disclosed, has a CVSS 5.3 (moderate) score, and can be exploited without authentication or user interaction. No public exploit code has been observed, but the attack vector is trivial to implement.
Affected Products – All versions of DriveLock that expose the vulnerable web service (the advisory does not list a specific version range).
TPRM Impact – Because DriveLock is often deployed as a data‑protection layer for third‑party SaaS and on‑premise workloads, a breach could reveal configuration files, logs, or cryptographic material that compromise downstream customers.
Recommended Actions –
- Deploy the vendor‑provided patch immediately (see DriveLock security bulletin).
- If patching cannot be done instantly, block inbound traffic to TCP 4568 at the perimeter or host firewall.
- Conduct a file‑integrity audit on systems running DriveLock to detect any unauthorized reads.
- Review contracts for clauses requiring timely remediation of disclosed vulnerabilities.
- Update your third‑party risk register to reflect the new exposure and reassess the vendor’s security posture.