{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/330121#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThe IDrive Cloud Backup Client for Windows, versions 7.0.0.63 and earlier, contains a privilege escalation vulnerability that allows any authenticated user to run arbitrary executables with `NT AUTHORITY\\SYSTEM` permissions. \r\n\r\n### Description\r\nIDrive is a cloud backup service that allows users to encrypt, sync, and store data from multiple devices such as PCs, Macs, iPhones, and Androids in one cloud-based account. IDrive provides a Windows client for both desktop and server editions, which acts as both a thick client and a thin client with a web interface to manage cloud backups.\r\n\r\n**CVE-2026-1995** The IDrive Windows client utility `id_service.exe` runs as a process with elevated `SYSTEM` privileges and regularly reads from several files located under `C:\\ProgramData\\IDrive`. The UTF16-LE encoded contents of these files are used by the service as arguments for starting processes. Because of weak permission configurations, these files can be edited by any standard user logged into the system. An authenticated, low-privilege attacker can overwrite or add a new file that specifies a path to an arbitrary script or `.exe`, which will then be executed by the `id_service.exe` process with `SYSTEM` privileges.\r\n\r\n### Impact\r\nThis vulnerability enables an authenticated local user, or any user with access to the affected directory, to execute arbitrary code as `SYSTEM` on the target Windows device. A local attacker could exploit this vulnerability to escalate privileges and gain full control over the target machine, potentially enabling data theft, system modification, or arbitrary script execution.\r\n\r\n### Solution\r\nIDrive has reported that a patch for this vulnerability is currently in development. Users should monitor IDrive releases and update their software to the latest version as soon as it becomes available. In the meantime, users are advised to restrict write permissions for the affected directory and employ additional controls such as EDR monitoring and Group Policies to detect and prevent unauthorized file modifications. \r\n\r\n### Acknowledgements\r\nThanks to Matthew Owens and FRSecure for discovering and reporting this vulnerability. This document was written by Molly Jaconski.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/330121"},{"url":"https://frsecure.com/blog/idrive-cve-2026-1995/","summary":"https://frsecure.com/blog/idrive-cve-2026-1995/"}],"title":"IDrive for Windows contains local privilege escalation vulnerability","tracking":{"current_release_date":"2026-03-24T20:27:22+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#330121","initial_release_date":"2026-03-24 17:58:34.537902+00:00","revision_history":[{"date":"2026-03-24T20:27:22+00:00","number":"1.20260324202722.2","summary":"Released on 2026-03-24T20:27:22+00:00"}],"status":"final","version":"1.20260324202722.2"}},"vulnerabilities":[{"title":"IDrive’s id_service.","notes":[{"category":"summary","text":"IDrive’s id_service.exe process runs with elevated privileges and regularly reads from several files under the C:\\ProgramData\\IDrive\\ directory. The UTF16-LE encoded contents of these files are used as arguments for starting a process, but they can be edited by any standard user logged into the system. An attacker can overwrite or edit the files to specify a path to an arbitrary executable, which will then be executed by the id_service.exe process with SYSTEM privileges."}],"cve":"CVE-2026-1995","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#330121"}]}],"product_tree":{"branches":[]}}