Symantec DLP Agent Flaw Allows Attackers to Esc Vulnerability Escalate

A high-severity security flaw impacts the Symantec Data Loss Prevention (DLP) Agent for Windows.

Tracked as CVE-2026-3991, this vulnerability allows a low-privileged local attacker to escalate their system privileges to the highest level.

Security researcher Manuel Feifel discovered the flaw, and Broadcom has recently released patches to address the issue.

The vulnerability carries a CVSS score of 7.8. It requires no special configuration to exploit, meaning agents running with default settings are fully exposed.

Symantec DLP Agent Vulnerability

The core issue originates from how the OpenSSL library was compiled and integrated into the Symantec DLP Agent.

The library was built with a hardcoded configuration path pointing to a specific development directory that does not exist on standard Windows installations.

Because Windows often grants authenticated users the default permission to create missing folders at the root directory level, any low-privileged user can recreate this development path. The vulnerable process  edpa.exe runs with SYSTEM privileges.

When this process starts, it searches for its OpenSSL configuration file (openssl.cnf) at a hardcoded, attacker-controlled location.

To successfully exploit CVE-2026-3991, a threat actor with basic local access must follow a straightforward attack path.

• The attacker creates the missing directory structure at C:VontuDevworkDiropenssloutputx64ReleaseSSL.
• They place a malicious OpenSSL.cnf file and a payload DLL into this newly created folder.
• The crafted configuration file uses the standard OpenSSL directive  dynamic_path to point directly to the attacker’s DLL.
• When the Symantec DLP Agent service restarts or triggers an OpenSSL initialization, it reads the malicious configuration file.
• The system loads the attacker’s DLL as a dynamic engine and executes it immediately with SYSTEM privileges.

Because the malicious code executes directly within the trusted DLP agent process, the attack is particularly dangerous to enterprise networks.

Threat actors can leverage this technique to bypass endpoint security protections and evade system telemetry completely.

Furthermore, attackers can use this compromised process to maintain deep, persistent access on the host machine while appearing entirely legitimate to security monitoring tools.

Affected and Patched Versions

Broadcom was first notified of the issue in November 2025 and released an official security advisory and fixes on March 30, 2026.

Organizations relying on Symantec DLP should immediately update their Windows endpoint agents to mitigate this threat.

The vulnerability affects Symantec DLP Agents before versions 16.1 MP2 or 25.1 MP1.

System administrators are strongly advised to upgrade to the following fixed versions of Data Loss Prevention (DLP): DLP 25.1 MP1, DLP 16.1 MP2, DLP 16.0 RU2 HF9, DLP 16.0 RU1 MP1 HF12, and DLP 16.0 MP2 HF15, as highlighted in the Infoguard Labs advisory.

Administrators should prioritize these patches, especially in environments where insider threats, local privilege escalation, or lateral movement are significant security concerns.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.