CVE-2021-44206
📋 TL;DR
This CVE describes a DLL hijacking vulnerability in Acronis Media Builder service that allows local attackers to escalate privileges on Windows systems. Attackers can place malicious DLLs in directories where the service searches for them, potentially gaining SYSTEM-level privileges. Affected users include those running vulnerable versions of Acronis Cyber Protect Home Office and Acronis True Image 2021 on Windows.
💻 Affected Systems
- Acronis Cyber Protect Home Office (Windows)
- Acronis True Image 2021 (Windows)
📦 What is this software?
True Image by Acronis
True Image by Acronis
True Image by Acronis
True Image by Acronis
True Image by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and disabling of security controls.
Likely Case
Local user or malware with limited privileges escalates to SYSTEM to install additional malware, steal credentials, or bypass security software.
If Mitigated
Attack fails due to proper file permissions, application whitelisting, or user account restrictions preventing DLL placement.
🎯 Exploit Status
DLL hijacking is a well-understood attack vector. While no public PoC is documented for this specific CVE, the technique is straightforward for attackers with local access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Cyber Protect Home Office build 39612+, Acronis True Image 2021 build 39287+
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-3058
Restart Required: Yes
Instructions:
1. Open Acronis application. 2. Check for updates in settings. 3. Install available updates. 4. Restart computer to ensure service updates apply.
🔧 Temporary Workarounds
Restrict write permissions to Media Builder directories
windowsPrevent non-administrative users from writing DLL files to directories where Media Builder searches for them.
icacls "C:\Program Files\Acronis\MediaBuilder\" /deny Users:(OI)(CI)W
Disable Media Builder service if not needed
windowsStop and disable the vulnerable service to prevent exploitation.
sc stop "Acronis Media Builder"
sc config "Acronis Media Builder" start= disabled
🧯 If You Can't Patch
- Remove local user access from vulnerable systems
- Implement application whitelisting to prevent unauthorized DLL execution
🔍 How to Verify
Check if Vulnerable:
Check Acronis application version in Help > About. For Cyber Protect Home Office, verify build number is below 39612. For True Image 2021, verify build number is below 39287.Check Version:
Check via Acronis GUI: Help > About, or examine installed programs in Control Panel > Programs and Features.Verify Fix Applied:
Confirm build number meets or exceeds patched versions: Cyber Protect Home Office 39612+, True Image 2021 39287+.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loads by Acronis Media Builder service from unusual locations
- Service crashes or unexpected restarts
- File creation events in Acronis directories by non-administrative users
Network Indicators:
- None - this is a local attack
SIEM Query:
EventID=4688 OR EventID=4689 with process_name containing 'MediaBuilder' AND (command_line contains 'dll' OR parent_process is unusual)