CVE-2021-44198
📋 TL;DR
This CVE describes a DLL hijacking vulnerability in Acronis Cyber Protect 15 for Windows that allows local attackers to escalate privileges by placing a malicious DLL in a location where the application searches for legitimate DLLs. The vulnerability affects all Windows installations of Acronis Cyber Protect 15 before build 28035. Attackers with local access can exploit this to gain SYSTEM-level privileges on the affected machine.
💻 Affected Systems
- Acronis Cyber Protect 15
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM privileges, enabling complete control over the system, installation of persistent malware, credential theft, and lateral movement within the network.
Likely Case
Malicious insider or compromised user account escalates to SYSTEM privileges to install ransomware, steal sensitive data, or maintain persistence on the system.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
DLL hijacking is a well-known attack vector. While no public PoC exists for this specific CVE, the technique is straightforward for attackers familiar with Windows DLL loading mechanisms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 28035 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-2128
Restart Required: Yes
Instructions:
1. Open Acronis Cyber Protect 15 console. 2. Navigate to Settings > Updates. 3. Check for and apply available updates. 4. Restart the system after update completion. 5. Verify build version is 28035 or higher.
🔧 Temporary Workarounds
Restrict DLL Search Path
windowsConfigure Windows to restrict DLL search paths using Group Policy or registry settings to prevent loading from untrusted directories.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
Application Control Policies
windowsImplement application whitelisting to prevent execution of unauthorized DLLs.
🧯 If You Can't Patch
- Implement strict access controls to limit local user privileges and prevent unauthorized users from accessing systems running Acronis Cyber Protect 15.
- Enable detailed auditing and monitoring for DLL loading events and privilege escalation attempts using Windows Event Log or security monitoring tools.
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect 15 build version. If below 28035, the system is vulnerable.Check Version:
Open Acronis Cyber Protect 15 console, go to Help > About, or check program files version information.Verify Fix Applied:
Verify Acronis Cyber Protect 15 build version is 28035 or higher after applying the update.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 (Process Creation) showing Acronis processes loading DLLs from unusual locations
- Security Event ID 4672 (Special privileges assigned to new logon) following Acronis process execution
Network Indicators:
- Unusual outbound connections from Acronis processes post-exploitation
SIEM Query:
source="Windows Security" EventID=4688 AND ProcessName="*Acronis*" AND CommandLine="*dll*" | stats count by ProcessName, CommandLine