Login Sign Up

CVE-2020-25736

7.8 HIGH

📋 TL;DR

This vulnerability allows local attackers on macOS systems to escalate privileges from a standard user account to root due to insecure XPC service configuration in Acronis True Image. It affects macOS users running Acronis True Image 2019 update 1 through 2021 update 1. The flaw enables unauthorized access to privileged operations.

💻 Affected Systems

Products:
  • Acronis True Image
Versions: 2019 update 1 through 2021 update 1
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects macOS installations; Windows versions are not vulnerable. Requires local access to the system.

📦 What is this software?

True Image by Acronis

View all CVEs affecting True Image →

True Image by Acronis

View all CVEs affecting True Image →

True Image by Acronis

View all CVEs affecting True Image →

True Image by Acronis

View all CVEs affecting True Image →

True Image by Acronis

View all CVEs affecting True Image →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full root access to the macOS system, enabling complete system compromise, data theft, persistence installation, and lateral movement.

🟠

Likely Case

Local user escalates privileges to install malware, modify system files, or access protected data without authorization.

🟢

If Mitigated

With proper privilege separation and service hardening, impact limited to denial of service of the Acronis service.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local user access but privileges can be escalated without authentication to the vulnerable service. Proof-of-concept code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2021 update 2 and later

Vendor Advisory: https://kb.acronis.com/content/68061

Restart Required: Yes

Instructions:

1. Open Acronis True Image. 2. Check for updates in application settings. 3. Install update to version 2021 update 2 or later. 4. Restart the system to ensure service updates are applied.

🔧 Temporary Workarounds

Disable Acronis True Image Service

all

Temporarily disable the vulnerable XPC service to prevent exploitation

sudo launchctl unload /Library/LaunchDaemons/com.acronis.trueimage.plist

Remove Setuid Permissions

all

Remove unnecessary privilege escalation capabilities from Acronis binaries

sudo chmod -s /Applications/Acronis\ True\ Image.app/Contents/MacOS/*

🧯 If You Can't Patch

  • Restrict local user access to systems running vulnerable versions
  • Implement application whitelisting to prevent unauthorized privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Acronis True Image version in About dialog or run: /Applications/Acronis\ True\ Image.app/Contents/MacOS/TrueImage --version

Check Version:

/Applications/Acronis\ True\ Image.app/Contents/MacOS/TrueImage --version

Verify Fix Applied:

Verify version is 2021 update 2 or later and check that XPC service permissions are properly restricted

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized privilege escalation attempts in system logs
  • Unexpected process launches from Acronis binaries with root privileges

Network Indicators:

  • Local XPC communication attempts to Acronis services

SIEM Query:

process_name:"TrueImage" AND parent_process:"launchd" AND user:"root"

📊 Metadata

CVE ID: CVE-2020-25736
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: July 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON