CVE-2022-45449
📋 TL;DR
Acronis Agent in Cyber Protect 15 has excessive privileges that can lead to sensitive information disclosure. This affects Acronis Cyber Protect 15 installations on Windows and Linux systems before build 30984. Attackers could exploit this to access protected data.
💻 Affected Systems
- Acronis Cyber Protect 15
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of protected backup data including credentials, configuration files, and sensitive business information stored in backups.
Likely Case
Unauthorized access to backup metadata, configuration details, and potentially some protected data depending on specific deployment.
If Mitigated
Limited or no data exposure due to network segmentation, proper access controls, and monitoring.
🎯 Exploit Status
Exploitation requires access to the system running Acronis Agent. The vulnerability stems from improper privilege assignment rather than a specific exploit chain.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 30984 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-5279
Restart Required: Yes
Instructions:
1. Download the latest version from Acronis official website. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Restart the Acronis Agent service or reboot the system.
🔧 Temporary Workarounds
Restrict Agent Service Permissions
windowsManually adjust the Acronis Agent service to run with minimal necessary privileges.
sc.exe config "Acronis Agent" obj= "NT AUTHORITY\LocalService"
sc.exe config "Acronis Agent" type= own
Implement Network Segmentation
allIsolate Acronis management network from general corporate network.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can communicate with Acronis Agent services
- Enable detailed logging and monitoring for unauthorized access attempts to Acronis services
🔍 How to Verify
Check if Vulnerable:
Check the Acronis Cyber Protect version in the management console or run 'acronis_agent --version' on Linux systems.Check Version:
On Windows: Check Programs and Features. On Linux: rpm -qa | grep acronis or dpkg -l | grep acronisVerify Fix Applied:
Verify the version shows build 30984 or higher and check that the Acronis Agent service is running with appropriate privileges.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to Acronis Agent logs
- Failed privilege escalation attempts in system logs
- Unauthorized service account changes
Network Indicators:
- Unexpected connections to Acronis Agent ports (9876 default)
- Traffic patterns suggesting data exfiltration from backup storage
SIEM Query:
source="acronis*" AND (event_type="privilege_escalation" OR event_type="unauthorized_access")