Symantec DLP Agent flaw lets local attackers escalate privileges to SYSTEM
5 min. read 
Published on
Broadcom has patched a high-severity vulnerability in the Symantec Data Loss Prevention Agent for Windows that can let a low-privileged local attacker gain SYSTEM-level access. The flaw, tracked as CVE-2026-3991, carries a CVSS 3.1 score of 7.8 and affects multiple supported DLP branches before their fixed releases.
The issue is serious because it does not require special product configuration. Broadcom’s advisory and the CVE record both describe it as a local privilege escalation bug in the Windows endpoint component, which means an attacker who already has basic access on a machine could use it to break out of those limits and take full control of the host.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Research tied to the disclosure says the root cause sits in how OpenSSL was compiled into the agent. The vulnerable process, edpa.exe, runs with SYSTEM privileges and looks for an OpenSSL configuration file in a hardcoded development path. If a low-privileged user can create that missing path and place a malicious configuration file and DLL there, the agent may load attacker-controlled code as SYSTEM.
How the privilege escalation works
According to public reporting on the research, the vulnerable path is C:\VontuDev\workDir\openssl\output\x64\Release\SSL\. On default Windows systems, authenticated users can often create missing folders at the root of the drive, which gives an attacker a chance to recreate that path and plant a rogue openssl.cnf file.
The attack then abuses OpenSSL’s normal behavior. A crafted configuration file can point to an attacker’s DLL through the dynamic_path directive. When the Symantec DLP Agent restarts or initializes OpenSSL, it reads the malicious configuration and loads the DLL inside a trusted process that already runs as SYSTEM.
That gives the attacker a clean privilege jump without needing a kernel exploit. Because the code runs inside the trusted DLP agent process, it can also blend into normal enterprise activity more easily than a noisy standalone exploit.
Affected versions and fixed releases
Broadcom published the advisory on March 30, 2026. The company says Symantec Data Loss Prevention Windows Endpoint versions before 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15 are affected. Those same versions appear as the fixed or unaffected releases in the CVE record.
That means organizations do not need to guess which builds are safe. The specific fixed versions listed in the public record are 25.1.00100.60229, 16.1.00200.60431, 16.0.20009.60689, 16.0.10112.60928, and 16.0.00215.62094.
Broadcom credited security researcher Manuel Feifel with finding the flaw. CISA’s enrichment data for the CVE currently says exploitation is not known, and public reports say there is no evidence of active attacks or public exploit code so far.
What admins should do now
Organizations that run the Symantec DLP Windows agent should treat this as a patch-now issue. This is a local bug, so it is not the kind of flaw that internet scanning alone will trigger, but it becomes very valuable after phishing, insider abuse, stolen credentials, or any other foothold on a workstation or server.
Security teams should identify every DLP Windows endpoint version in use, upgrade any system below the fixed builds, and review whether low-privileged users can create suspicious root-level paths on sensitive systems. They should also look for unexpected files in the hardcoded OpenSSL path and check for recent DLP service restarts that could line up with abuse attempts. These are practical defensive steps based on the published exploit path.
The bottom line is simple. CVE-2026-3991 is not a remote wormable bug, but it is still dangerous because it can hand full SYSTEM access to anyone who already has a limited foothold on an affected Windows device. In enterprise environments, that is often enough to turn a minor intrusion into a much larger compromise.
Key facts
- CVE-2026-3991 is a local privilege escalation flaw in Symantec Data Loss Prevention Windows Endpoint.
- Severity is HIGH with a CVSS 3.1 base score of 7.8.
- Fixed versions include 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15.
- Broadcom published the advisory on March 30, 2026.
- Manuel Feifel received credit for the discovery.
Version table
| Branch | Vulnerable before | Fixed build |
|---|---|---|
| DLP 25.1 | 25.1 MP1 | 25.1.00100.60229 |
| DLP 16.1 | 16.1 MP2 | 16.1.00200.60431 |
| DLP 16.0 RU2 | RU2 HF9 | 16.0.20009.60689 |
| DLP 16.0 RU1 MP1 | HF12 | 16.0.10112.60928 |
| DLP 16.0 MP2 | HF15 | 16.0.00215.62094 |
FAQ
It is a high-severity privilege escalation flaw in the Symantec DLP Agent for Windows that can let a low-privileged local attacker gain elevated access.
Public records describe it as a local vulnerability, not a remote unauthenticated bug. An attacker needs an existing foothold on the machine first.
Public reporting on the research says the vulnerable SYSTEM-level process is edpa.exe, which may load attacker-controlled OpenSSL configuration data from a hardcoded path.
Broadcom’s advisory focuses on upgrading to a fixed version. Public sources around the disclosure do not describe a vendor workaround that removes the risk without patching.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages