{"vuid":"VU#420440","idnumber":"420440","name":"Vulnerable Python version used in Forcepoint One DLP Client","keywords":null,"overview":"### Overview\r\n\r\nA vulnerability in the Forcepoint One DLP Client allows bypass of the vendor-implemented Python restrictions designed to prevent arbitrary code execution. By reconstructing the `ctypes` FFI environment and applying a version-header patch to the `ctypes.pyd` module, an attacker can restore `ctypes` functionality within the bundled Python 2.5.4 runtime, enabling direct invocation of DLLs, memory manipulation, and execution of arbitrary code.\r\n\r\n### Description\r\n\r\nThe Forcepoint One DLP Client (version 23.04.5642 and potentially subsequent versions) shipped with a constrained Python 2.5.4 runtime that omitted the `ctypes` foreign function interface (FFI) library. Although this limitation appeared intended to mitigate malicious use, it was demonstrated that the restriction could be bypassed by transferring compiled `ctypes` dependencies from another system and applying a version-header patch to the `ctypes.pyd` module. Once patched and correctly positioned on the search path, the previously restrained Python environment would successfully load `ctypes`, permitting execution of arbitrary shellcode or DLL-based payloads.\r\n\r\nForcepoint acknowledged the issue and indicated that a fix would be included in an upcoming release. According to the Forcepoint’s published knowledge base article (KB 000042256), the vulnerable Python runtime has been removed from Forcepoint One Endpoint (F1E) builds after version 23.11 associated with Forcepoint DLP v10.2.\r\n\r\n### Impact\r\n\r\nArbitrary code execution within the DLP client may allow an attacker to interfere with or bypass data loss prevention enforcement, alter client behavior, or disable security monitoring functions. Because the client operates as a security control on enterprise endpoints, exploitation may reduce the effectiveness of DLP protections and weaken overall system security.\r\n\r\nThe complete scope of impact in enterprise environments has not been fully determined.\r\n\r\n### Solution\r\n\r\nForcepoint reports that the vulnerable Python runtime has been removed in Endpoint builds after version 23.11 (Forcepoint DLP v10.2).\r\nUsers should upgrade to Endpoint versions which have been validated to no longer contain python.exe.\r\n\r\n### Acknowledgements\r\n\r\nThanks to the reporter, Keith Lee.\r\nThis document was written by Timur Snoke.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://support.forcepoint.com/s/article/000042256"],"cveids":["CVE-2025-14026"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-01-06T14:38:37.342215Z","publicdate":"2026-01-06T14:38:37.164943Z","datefirstpublished":"2026-01-06T14:38:37.357238Z","dateupdated":"2026-01-06T14:38:37.164938Z","revision":1,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":161}