Cyber Resilience

CVE-2025-14026

High

Published: 06 January 2026

Published
06 January 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 24.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14026 is a high-severity an unspecified weakness vulnerability in Forcepoint One Data Loss Prevention. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-14026 affects the Forcepoint One DLP Client, specifically version 23.04.5642 and possibly newer versions. The vulnerability involves a restricted version of Python 2.5.4 embedded in the client, which is intended to prevent use of the ctypes library. The ctypes library serves as a foreign function interface (FFI) for Python, allowing calls to DLLs or shared libraries, memory allocation, and direct code execution. Researchers demonstrated that these restrictions on ctypes can be bypassed.

The CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates a high-severity local vulnerability. A local attacker with low privileges can exploit it with low complexity and no user interaction required. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution via DLL calls and memory manipulation, potentially undermining the DLP client's security controls.

Advisories from CERT (https://kb.cert.org/vuls/id/420440) and Forcepoint (https://support.forcepoint.com/s/article/000042256) provide details on the issue. Security practitioners should consult these references for recommended mitigations, patches, or workarounds specific to affected Forcepoint One DLP Client deployments.

EU & UK References

Vulnerability details

Forcepoint One DLP Client, version 23.04.5642 (and possibly newer versions), includes a restricted version of Python 2.5.4 that prevents use of the ctypes library. ctypes is a foreign function interface (FFI) for Python, enabling calls to DLLs/shared libraries, memory allocation,…

more

and direct code execution. It was demonstrated that these restrictions could be bypassed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1106 Native API Execution
Adversaries may interact with the native OS application programming interface (API) to execute behaviors.
Why these techniques?

Bypass of embedded Python restrictions enables direct use of Python interpreter and native API calls (ctypes) for arbitrary code execution and memory/DLL manipulation, directly facilitating local privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

forcepoint
one data loss prevention
23.04.5642

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly remediates the ctypes restriction bypass vulnerability in the embedded Python 2.5.4 of Forcepoint One DLP Client through timely application of vendor patches or workarounds.

prevent

Prohibits use of the unsupported and end-of-life Python 2.5.4 component, which is inherently vulnerable to the demonstrated ctypes bypass enabling arbitrary code execution.

prevent

Provides memory safeguards such as DEP and ASLR to mitigate unauthorized code execution and memory manipulation resulting from successful ctypes bypass exploitation.

References