CVE-2021-44204
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on Windows systems by exploiting improper access control checks on named pipes. Attackers can gain SYSTEM-level privileges by connecting to and manipulating these pipes. Affected users include anyone running vulnerable versions of Acronis Cyber Protect, Acronis Agent, Acronis Cyber Protect Home Office, or Acronis True Image 2021 on Windows.
💻 Affected Systems
- Acronis Cyber Protect 15 (Windows)
- Acronis Agent (Windows)
- Acronis Cyber Protect Home Office (Windows)
- Acronis True Image 2021 (Windows)
📦 What is this software?
Agent by Acronis
True Image by Acronis
True Image by Acronis
True Image by Acronis
True Image by Acronis
True Image by Acronis
True Image by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and full control over the affected system.
Likely Case
Local privilege escalation from standard user to SYSTEM privileges, allowing attackers to bypass security controls, install additional malware, or access protected system resources.
If Mitigated
Limited impact if proper access controls are enforced and least privilege principles are followed, though the vulnerability still provides a foothold for attackers.
🎯 Exploit Status
Exploitation requires local access to the system but is relatively straightforward once access is obtained. No public exploit code was mentioned in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Cyber Protect 15 build 28035+, Acronis Agent build 27147+, Acronis Cyber Protect Home Office build 39612+, Acronis True Image 2021 build 39287+
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-2355
Restart Required: Yes
Instructions:
1. Download the latest version from Acronis official website or update through the product interface. 2. Install the update following the vendor's instructions. 3. Restart the system to ensure all components are updated.
🔧 Temporary Workarounds
Restrict Named Pipe Access
windowsConfigure Windows security policies to restrict access to vulnerable named pipes used by Acronis products.
Use Windows Security Policy or PowerShell to set appropriate ACLs on named pipes used by Acronis processes
Disable Vulnerable Components
windowsTemporarily disable Acronis services if they are not critically needed until patching can be completed.
sc stop "Acronis services"
sc config "Acronis services" start= disabled
🧯 If You Can't Patch
- Implement strict least privilege principles and limit local user access to systems running vulnerable Acronis software.
- Monitor for suspicious process creation and named pipe activity using endpoint detection and response (EDR) tools.
🔍 How to Verify
Check if Vulnerable:
Check the Acronis product version in the application interface or through Windows Programs and Features. Compare against vulnerable build numbers.Check Version:
Check through Acronis product interface or examine installed programs in Windows Control PanelVerify Fix Applied:
Verify the installed build number is equal to or higher than the patched versions listed in the fix section.📡 Detection & Monitoring
Log Indicators:
- Unusual named pipe creation or access attempts by non-SYSTEM users
- Suspicious process creation with SYSTEM privileges from user accounts
- Access denied events for named pipe operations
Network Indicators:
- Local named pipe communication patterns that deviate from normal Acronis behavior
SIEM Query:
Process Creation where Parent Process contains 'Acronis' AND Integrity Level changes to 'System'