Login Sign Up

CVE-2021-38088

7.8 HIGH

📋 TL;DR

This vulnerability allows local attackers to escalate privileges on Windows systems running vulnerable versions of Acronis Cyber Protect 15. Attackers can hijack binaries to execute arbitrary code with elevated privileges. Only users with local access to affected systems are at risk.

💻 Affected Systems

Products:
  • Acronis Cyber Protect 15 for Windows
Versions: All versions prior to build 27009
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows installations. Requires local access to the system.

📦 What is this software?

Cyber Protect by Acronis

View all CVEs affecting Cyber Protect →

Cyber Protect by Acronis

View all CVEs affecting Cyber Protect →

Cyber Protect by Acronis

View all CVEs affecting Cyber Protect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where an attacker gains SYSTEM/administrator privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install unauthorized software, or access protected system resources.

🟢

If Mitigated

Limited impact if proper access controls, least privilege principles, and application whitelisting are implemented.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.
🏢 Internal Only: HIGH - Malicious insiders or compromised user accounts can exploit this to gain elevated privileges on affected systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Binary hijacking vulnerabilities typically have low exploitation complexity for attackers with local access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Build 27009 or later

Vendor Advisory: https://kb.acronis.com/content/68564

Restart Required: Yes

Instructions:

1. Download and install Acronis Cyber Protect 15 build 27009 or later from the official Acronis portal. 2. Follow the standard installation process. 3. Restart the system to complete the update.

🔧 Temporary Workarounds

Restrict local access

windows

Limit local access to affected systems to trusted users only

Implement application whitelisting

windows

Use Windows AppLocker or similar to restrict execution of unauthorized binaries

🧯 If You Can't Patch

  • Implement strict least privilege principles for all user accounts
  • Monitor for suspicious binary execution and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check the Acronis Cyber Protect version in the application interface or via Windows Programs and Features. If version is below build 27009, the system is vulnerable.

Check Version:

Check via Acronis Cyber Protect GUI or Windows Control Panel > Programs and Features

Verify Fix Applied:

Verify the installed version shows build 27009 or higher in the application interface.

📡 Detection & Monitoring

Log Indicators:

  • Unusual binary execution from non-standard paths
  • Privilege escalation events in Windows Security logs
  • Acronis service anomalies

Network Indicators:

  • None - this is a local attack vector

SIEM Query:

Windows Security Event ID 4688 with suspicious parent processes or binary paths

📊 Metadata

CVE ID: CVE-2021-38088
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: August 12, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON