CVE-2022-3405
📋 TL;DR
CVE-2022-3405 is a privilege escalation vulnerability in Acronis Agent that allows local attackers to execute arbitrary code and access sensitive information. This affects Acronis Cyber Protect 15 and Acronis Cyber Backup 12.5 on Windows and Linux systems. Attackers can exploit excessive privileges to gain SYSTEM/root access.
💻 Affected Systems
- Acronis Cyber Protect 15
- Acronis Cyber Backup 12.5
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM/root privileges, enabling installation of persistent malware, data exfiltration, lateral movement, and disabling of security controls.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive backup data, configuration files, and potential credential theft from the Acronis environment.
If Mitigated
Limited to local user access without privilege escalation; attackers cannot gain elevated privileges or access sensitive Acronis data.
🎯 Exploit Status
Exploitation requires local access to the system; no public exploit code has been disclosed as of available information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Cyber Protect 15 build 29486 or later, Acronis Cyber Backup 12.5 build 16545 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-4092
Restart Required: Yes
Instructions:
1. Download the latest version from Acronis official sources. 2. Run the installer with administrative privileges. 3. Follow on-screen instructions to complete the update. 4. Restart the system as prompted.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local user access to systems running Acronis Agent to trusted administrators only.
Monitor Privileged Operations
allImplement monitoring for unusual process creation or privilege escalation attempts related to Acronis services.
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to Acronis-managed systems
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check the Acronis Agent version via the management console or by examining installed software version.Check Version:
On Windows: Check Programs and Features. On Linux: Check package manager or run 'acronis_agent --version' if available.Verify Fix Applied:
Verify the installed version meets or exceeds the patched build numbers: Cyber Protect 15 build 29486+, Cyber Backup 12.5 build 16545+.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation by Acronis Agent service
- Privilege escalation attempts in system logs
- Unauthorized access to Acronis configuration files
Network Indicators:
- Unusual outbound connections from Acronis Agent to unknown destinations
SIEM Query:
Process creation where parent process contains 'acronis' and child process is privileged (e.g., cmd.exe, powershell.exe, bash with elevated privileges)