search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Vulnerable Python version used in Forcepoint One DLP Client

Vulnerability Note VU#420440

Original Release Date: 2026-01-06 | Last Revised: 2026-01-06

Overview

A vulnerability in the Forcepoint One DLP Client allows bypass of the vendor-implemented Python restrictions designed to prevent arbitrary code execution. By reconstructing the ctypes FFI environment and applying a version-header patch to the ctypes.pyd module, an attacker can restore ctypes functionality within the bundled Python 2.5.4 runtime, enabling direct invocation of DLLs, memory manipulation, and execution of arbitrary code.

Description

The Forcepoint One DLP Client (version 23.04.5642 and potentially subsequent versions) shipped with a constrained Python 2.5.4 runtime that omitted the ctypes foreign function interface (FFI) library. Although this limitation appeared intended to mitigate malicious use, it was demonstrated that the restriction could be bypassed by transferring compiled ctypes dependencies from another system and applying a version-header patch to the ctypes.pyd module. Once patched and correctly positioned on the search path, the previously restrained Python environment would successfully load ctypes, permitting execution of arbitrary shellcode or DLL-based payloads.

Forcepoint acknowledged the issue and indicated that a fix would be included in an upcoming release. According to the Forcepoint’s published knowledge base article (KB 000042256), the vulnerable Python runtime has been removed from Forcepoint One Endpoint (F1E) builds after version 23.11 associated with Forcepoint DLP v10.2.

Impact

Arbitrary code execution within the DLP client may allow an attacker to interfere with or bypass data loss prevention enforcement, alter client behavior, or disable security monitoring functions. Because the client operates as a security control on enterprise endpoints, exploitation may reduce the effectiveness of DLP protections and weaken overall system security.

The complete scope of impact in enterprise environments has not been fully determined.

Solution

Forcepoint reports that the vulnerable Python runtime has been removed in Endpoint builds after version 23.11 (Forcepoint DLP v10.2). Users should upgrade to Endpoint versions which have been validated to no longer contain python.exe.

Acknowledgements

Thanks to the reporter, Keith Lee. This document was written by Timur Snoke.

Vendor Information

420440
 
Expand all

Forcepoint Not Affected

Notified:  2025-10-27 Updated: 2026-01-06

Statement Date:   December 04, 2025

CVE-2025-14026 Not Affected

Vendor Statement

Forcepoint published this KB

https://support.forcepoint.com/s/article/000042256

Providing the detail

"Forcepoint One Endpoint (F1E) - Fixed in the upcoming F1E build after 23.11 associated with the Forcepoint DLP v10.2 release python.exe has been removed from the F1E installer"

We have validated a number of endpoint builds in our lab and have confirmed that python.exe is no longer present in the Endpoint installation folder as long as the user is using Endpoint builds released in 2024 and onwards

References

CERT Addendum

By virtue of the vulnerability existing in earlier versions of the software the product is considered affected and as a result a CVE was assigned.


References

Other Information

CVE IDs: CVE-2025-14026
API URL: VINCE JSON | CSAF
Date Public: 2026-01-06
Date First Published: 2026-01-06
Date Last Updated: 2026-01-06 14:38 UTC
Document Revision: 1

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis