Login Sign Up

CVE-2020-35145

7.8 HIGH

📋 TL;DR

CVE-2020-35145 is a local privilege escalation vulnerability in Acronis True Image for Windows, caused by DLL hijacking in multiple components. It allows attackers with local access to execute arbitrary code with elevated privileges. Users of Acronis True Image for Windows prior to Update 3 are affected.

💻 Affected Systems

Products:
  • Acronis True Image for Windows
Versions: Versions prior to 2021 Update 3
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default installations due to untrusted search path issues in multiple components.

📦 What is this software?

True Image by Acronis

View all CVEs affecting True Image →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full administrative control over the system, enabling data theft, malware installation, or system compromise.

🟠

Likely Case

Local users or malware escalate privileges to install persistent backdoors or bypass security controls.

🟢

If Mitigated

With proper access controls and patching, impact is limited to denial of service or minimal privilege abuse.

🌐 Internet-Facing: LOW, as exploitation requires local access to the system, not remote network exposure.
🏢 Internal Only: HIGH, because it can be exploited by malicious insiders or malware that has already breached the local environment.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation involves placing a malicious DLL in a specific path; public proof-of-concept code is available, making it accessible to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2021 Update 3 or later

Vendor Advisory: https://www.acronis.com/en-us/support/updates/changes.html?p=42246

Restart Required: Yes

Instructions:

1. Open Acronis True Image. 2. Go to Help > Check for Updates. 3. Install Update 3 or newer. 4. Restart the system as prompted.

🔧 Temporary Workarounds

Restrict DLL Search Path Permissions

windows

Modify file permissions to prevent unauthorized DLL placement in vulnerable directories.

icacls "C:\Program Files\Acronis\TrueImage\" /deny Everyone:(OI)(CI)W

🧯 If You Can't Patch

  • Remove or restrict local user access to vulnerable systems to reduce attack surface.
  • Implement application whitelisting to block execution of unauthorized DLLs.

🔍 How to Verify

Check if Vulnerable:

Check the Acronis True Image version via Help > About; if version is earlier than 2021 Update 3, it is vulnerable.

Check Version:

wmic product where name="Acronis True Image" get version

Verify Fix Applied:

After updating, confirm version is 2021 Update 3 or later in Help > About.

📡 Detection & Monitoring

Log Indicators:

  • Unusual DLL load events from Acronis processes in Windows Event Logs (e.g., Event ID 7).

Network Indicators:

  • No direct network indicators, as this is a local exploit.

SIEM Query:

EventID=7 AND ProcessName LIKE "%Acronis%" AND DLLPath NOT LIKE "%Program Files%Acronis%"

📊 Metadata

CVE ID: CVE-2020-35145
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-427
Published: January 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35145, you might also want to check these:

CVE-2025-4981 9.9

This vulnerability allows authenticated Mattermost users to write files to arbitrary locations on th...

Same vulnerability type (CWE-427)
CVE-2022-24955 9.8

CVE-2022-24955 is a DLL hijacking vulnerability in Foxit PDF software that allows attackers to execu...

Same vulnerability type (CWE-427)
CVE-2023-25143 9.8

This vulnerability in Trend Micro Apex One Server installer allows attackers to execute arbitrary co...

Same vulnerability type (CWE-427)