CVE-2022-24115
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on macOS systems by exploiting unrestricted loading of unsigned libraries in Acronis software. It affects users of Acronis Cyber Protect Home Office and Acronis True Image 2021 on macOS. Attackers can gain root privileges by tricking the software into loading malicious libraries.
💻 Affected Systems
- Acronis Cyber Protect Home Office (macOS)
- Acronis True Image 2021 (macOS)
📦 What is this software?
True Image by Acronis
True Image by Acronis
True Image by Acronis
True Image by Acronis
True Image by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges on the macOS system, enabling complete system compromise, data theft, and persistence.
Likely Case
Malicious local user or malware with user-level access escalates to root to install persistent backdoors or access protected data.
If Mitigated
With proper patching, the vulnerability is eliminated; with workarounds, attack surface is reduced but not fully mitigated.
🎯 Exploit Status
Exploitation requires local access but is relatively straightforward once an attacker has user-level access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Cyber Protect Home Office build 39605 or later; Acronis True Image 2021 build 39287 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-3359
Restart Required: Yes
Instructions:
1. Open the Acronis application. 2. Check for updates in settings. 3. Install the latest update. 4. Restart the system to ensure changes take effect.
🔧 Temporary Workarounds
Uninstall vulnerable software
macOSRemove affected Acronis products until patched versions can be installed.
sudo /Applications/Acronis\ Cyber\ Protect\ Home\ Office.app/Contents/MacOS/uninstall
sudo /Applications/Acronis\ True\ Image.app/Contents/MacOS/uninstall
Restrict local user access
allLimit local user accounts to trusted individuals only and monitor for suspicious activity.
🧯 If You Can't Patch
- Uninstall the vulnerable Acronis software immediately.
- Implement strict access controls and monitor for privilege escalation attempts on affected systems.
🔍 How to Verify
Check if Vulnerable:
Check the Acronis application version in About section or run: ls -la /Applications/ | grep -i acronis to identify installed versions.Check Version:
Open Acronis application → About menu to view version/build details.Verify Fix Applied:
Verify the installed build number is 39605 or higher for Cyber Protect Home Office, or 39287 or higher for True Image 2021.📡 Detection & Monitoring
Log Indicators:
- Unusual library loading events in system logs
- Process execution with unexpected privileges from Acronis binaries
Network Indicators:
- None - this is a local exploit with no network component
SIEM Query:
macOS process monitoring for Acronis binaries spawning shells or executing with elevated privileges.