CVE-2022-45450
📋 TL;DR
This vulnerability allows unauthorized users to access and manipulate sensitive information in Acronis products due to improper authorization checks. It affects Acronis Agent and Acronis Cyber Protect 15 installations on Linux, macOS, and Windows systems running vulnerable versions. Attackers can exploit this to view or modify protected data without proper authentication.
💻 Affected Systems
- Acronis Agent
- Acronis Cyber Protect 15
📦 What is this software?
Agent by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of protected backup data including exfiltration, modification, or deletion of sensitive information, potentially leading to data loss, ransomware deployment, or compliance violations.
Likely Case
Unauthorized access to backup data and configuration information, allowing attackers to view sensitive files, modify backup settings, or disrupt backup operations.
If Mitigated
Limited impact with proper network segmentation and access controls, though the vulnerability still exists in the software itself.
🎯 Exploit Status
Exploitation requires some level of access to the system but doesn't require administrative privileges. The vulnerability stems from improper authorization checks rather than authentication bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Agent build 28610 or later, Acronis Cyber Protect 15 build 30984 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-2410
Restart Required: Yes
Instructions:
1. Download the latest version from Acronis official sources. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart the Acronis service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Acronis management interfaces to only trusted administrative systems.
Access Control Hardening
allImplement strict file system permissions and limit user access to Acronis installation directories.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Acronis systems from untrusted networks
- Enable detailed logging and monitoring for unauthorized access attempts to Acronis services
🔍 How to Verify
Check if Vulnerable:
Check the Acronis product version in the management console or via command line: On Windows: Check Programs and Features. On Linux/macOS: Check installed package version.Check Version:
Windows: Check via Acronis Management Console. Linux: rpm -qa | grep acronis or dpkg -l | grep acronis. macOS: Check via Acronis application About menu.Verify Fix Applied:
Verify the build number is 28610 or higher for Acronis Agent, or 30984 or higher for Acronis Cyber Protect 15.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Acronis services
- Unexpected configuration changes in Acronis logs
- Access to backup data from unauthorized accounts
Network Indicators:
- Unusual network traffic to Acronis management ports (default 9876)
- Connection attempts from unauthorized IP addresses
SIEM Query:
source="acronis*" AND (event_type="access_denied" OR event_type="unauthorized_access" OR user NOT IN ["authorized_users_list"])