CVE-2022-24113
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Windows products where child processes receive excessive permissions. An attacker with local access can exploit this to gain SYSTEM-level privileges on affected systems. Users of Acronis Cyber Protect, Acronis Agent, Acronis Cyber Protect Home Office, and Acronis True Image 2021 on Windows are affected.
💻 Affected Systems
- Acronis Cyber Protect 15 (Windows)
- Acronis Agent (Windows)
- Acronis Cyber Protect Home Office (Windows)
- Acronis True Image 2021 (Windows)
📦 What is this software?
Agent by Acronis
True Image by Acronis
True Image by Acronis
True Image by Acronis
True Image by Acronis
True Image by Acronis
True Image by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement capabilities.
Likely Case
Malicious insider or malware with initial foothold escalates to SYSTEM privileges to disable security controls, install additional malware, or access protected data.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
Exploitation requires local access to the system. The vulnerability involves improper permission assignment to child processes, which could be exploited through various local attack vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Cyber Protect 15 build 28035+, Acronis Agent build 27147+, Acronis Cyber Protect Home Office build 39612+, Acronis True Image 2021 build 39287+
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-2881
Restart Required: Yes
Instructions:
1. Open Acronis product. 2. Check for updates in settings. 3. Download and install the latest version. 4. Restart the system as prompted. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local access to systems running vulnerable Acronis software to trusted users only.
Monitor Process Creation
windowsImplement monitoring for unusual child process creation by Acronis services.
🧯 If You Can't Patch
- Implement strict access controls to limit who can log into systems with vulnerable Acronis software
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Acronis product version in the application's About section or through Control Panel > Programs and Features.Check Version:
For Acronis Cyber Protect: Check Help > About. For Windows generally: wmic product where name like '%Acronis%' get versionVerify Fix Applied:
Verify the installed version meets or exceeds the patched build numbers listed in the fix section.📡 Detection & Monitoring
Log Indicators:
- Unusual child process creation by Acronis services
- Privilege escalation attempts from Acronis processes
- Suspicious SYSTEM-level activity following Acronis process execution
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4688 AND ProcessName LIKE '%acronis%' AND NewProcessName NOT IN (expected_acronis_child_processes)