CISA alerts on Forcepoint One DLP python runtime vulnerability

The Forcepoint One Data Loss Prevention (DLP) Client contains a flaw in its bundled Python runtime that permits restoration of removed ctypes functionality, enabling arbitrary code execution within the client process.

CVE-2025-14026 is associated with Forcepoint One DLP Client version 23.04.5642 and potentially subsequent versions; the product shipped a constrained Python 2.5.4 runtime that omitted the ctypes foreign function interface (FFI). The bypass demonstrated involved transferring compiled ctypes dependencies from another system, applying a version-header patch to the ctypes.pyd module, and placing the patched module on the interpreter search path so the bundled runtime loads ctypes and permits direct invocation of DLLs, memory manipulation, and execution of arbitrary shellcode or DLL-based payloads.

Arbitrary code execution within the DLP client may allow an attacker to interfere with or bypass DLP enforcement, alter client behavior, or disable security monitoring functions. Because the client operates as a security control on enterprise endpoints, exploitation may reduce the effectiveness of DLP protections and weaken overall system security. The complete scope of impact in enterprise environments has not been fully determined.

Forcepoint acknowledged the issue and indicated a fix would be included in an upcoming release; Forcepoint’s published knowledge base article (KB 000042256) states the vulnerable Python runtime has been removed from Forcepoint One Endpoint (F1E) builds after version 23.11 associated with Forcepoint DLP v10.2. Users should upgrade to Endpoint versions which have been validated to no longer contain python.exe.

The advisory includes a reference to Forcepoint’s knowledge base article, KB 000042256 (https://support.forcepoint.com/s/article/000042256), and lists “Contact us about this vulnerability” and guidance on how to provide a vendor statement.