CVE-2022-0483
📋 TL;DR
CVE-2022-0483 is a local privilege escalation vulnerability in Acronis VSS Doctor for Windows caused by insecure folder permissions. This allows authenticated local users to execute arbitrary code with SYSTEM privileges. Only Windows systems running vulnerable versions of Acronis VSS Doctor are affected.
💻 Affected Systems
- Acronis VSS Doctor
📦 What is this software?
Vss Doctor by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement capabilities.
Likely Case
Malicious insider or compromised user account escalates to SYSTEM to install malware, steal credentials, or bypass security controls.
If Mitigated
With proper access controls and least privilege principles, impact is limited to authorized users who already have some local access.
🎯 Exploit Status
Exploitation requires authenticated local access. The vulnerability is in folder permissions, making exploitation straightforward for attackers with local access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 53 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-3354
Restart Required: Yes
Instructions:
1. Download and install Acronis VSS Doctor build 53 or later from official Acronis sources. 2. Restart the system to ensure all components are updated. 3. Verify the installation by checking the version number.
🔧 Temporary Workarounds
Restrict folder permissions
windowsManually adjust folder permissions to remove write access for non-administrative users
icacls "C:\Program Files\Acronis\VSS Doctor\" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"
Disable vulnerable service
windowsTemporarily disable Acronis VSS Doctor service if not critically needed
sc stop "Acronis VSS Doctor"
sc config "Acronis VSS Doctor" start= disabled
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit local user permissions
- Monitor for suspicious privilege escalation attempts and file system modifications
🔍 How to Verify
Check if Vulnerable:
Check Acronis VSS Doctor version: Open the application and verify version is below build 53Check Version:
wmic product where "name like 'Acronis VSS Doctor%'" get versionVerify Fix Applied:
Confirm Acronis VSS Doctor version is build 53 or higher and verify folder permissions are properly restricted📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing privilege escalation attempts
- File system audit logs showing modifications to Acronis VSS Doctor folders
- Process creation logs showing unexpected SYSTEM privilege processes
Network Indicators:
- No network indicators as this is a local privilege escalation
SIEM Query:
EventID=4688 AND NewProcessName CONTAINS 'Acronis' AND SubjectUserName != 'SYSTEM' AND TokenElevationType != '%%1936'