CISA updates on IDrive Windows privilege escalation vulnerability

The IDrive Cloud Backup Client for Windows, versions 7.0.0.63 and earlier, has a local privilege escalation vulnerability that allows an authenticated user to execute arbitrary executables with NT AUTHORITY\SYSTEM permissions, enabling code execution on the target Windows device.

The affected component is the Windows client utility id_service.exe, which runs with elevated SYSTEM privileges and regularly reads UTF16-LE encoded contents from several files located under C:\ProgramData\IDrive. The service uses the UTF16-LE contents as arguments for starting processes. Due to weak permission configurations, any standard user logged into the system can edit these files. CVE-2026-1995 describes how an authenticated, low-privilege attacker can overwrite or add a new file that specifies a path to an arbitrary script or .exe, which is then executed by id_service.exe with SYSTEM privileges.

The vulnerability enables an authenticated local user, or any user with access to the affected directory, to execute arbitrary code as SYSTEM on the target Windows device. A local attacker could exploit this vulnerability to escalate privileges and gain full control over the target machine, potentially enabling data theft, system modification, or arbitrary script execution.

IDrive reported that a patch for this vulnerability is currently in development. In the meantime, users are advised to restrict write permissions for the affected directory and employ additional controls such as Endpoint Detection And Response (EDR) monitoring and Group Policies to detect and prevent unauthorized file modifications.

Guidance for the vulnerability notes to monitor IDrive releases and update the software to the latest version as soon as it becomes available.