CVE-2022-45451 – This CVE describes a local privilege escalation... (How to Fix)

Q: What is the severity of CVE-2022-45451?

CVE-2022-45451 has a CVSS score of 7.8 (HIGH). This CVE describes a local privilege escalation vulnerability in Acronis products for Windows. It allows a local attacker with low privileges to gain SYSTEM-level access due to insecure driver communication port permissions. Affected users include those running vulnerable versions of Acronis Cyber Protect Home Office, Acronis Agent, or Acronis Cyber Protect 15 on Windows systems.

📋 TL;DR

This CVE describes a local privilege escalation vulnerability in Acronis products for Windows. It allows a local attacker with low privileges to gain SYSTEM-level access due to insecure driver communication port permissions. Affected users include those running vulnerable versions of Acronis Cyber Protect Home Office, Acronis Agent, or Acronis Cyber Protect 15 on Windows systems.

💻 Affected Systems

Products:

Acronis Cyber Protect Home Office (Windows)
Acronis Agent (Windows)
Acronis Cyber Protect 15 (Windows)

Versions: Acronis Cyber Protect Home Office before build 40173, Acronis Agent before build 30600, Acronis Cyber Protect 15 before build 30984

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows versions of these products. The vulnerability exists in the default configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access can achieve full SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and disabling of security controls.

🟠

Likely Case

Malware or malicious users with initial access can escalate privileges to bypass security restrictions, install additional malware, or access protected system resources.

🟢

If Mitigated

With proper access controls and least privilege principles, impact is limited to the compromised user account only.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring initial access to the system.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a vulnerable system, exploitation is straightforward and leads to full system compromise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but is considered low complexity once initial access is obtained. The vulnerability is in driver communication mechanisms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Acronis Cyber Protect Home Office build 40173+, Acronis Agent build 30600+, Acronis Cyber Protect 15 build 30984+

Vendor Advisory: https://security-advisory.acronis.com/SEC-5487

Restart Required: Yes

Instructions:

1. Open Acronis product. 2. Check for updates in settings. 3. Apply available updates. 4. Restart the system as prompted. 5. Verify the updated version is running.

🔧 Temporary Workarounds

Restrict local access

windows

Limit local user access to vulnerable systems to trusted users only

Remove vulnerable software

windows

Uninstall affected Acronis products if not essential

Control Panel > Programs > Uninstall a program > Select Acronis product > Uninstall

🧯 If You Can't Patch

Implement strict access controls to limit who can log into affected systems
Monitor for unusual privilege escalation attempts and driver communication anomalies

🔍 How to Verify

Check if Vulnerable:

Check Acronis product version in the application interface or via 'wmic product get name,version' command and compare with vulnerable versions

Check Version:

wmic product where "name like '%Acronis%'" get name,version

Verify Fix Applied:

Verify the installed version meets or exceeds the patched build numbers: Home Office 40173+, Agent 30600+, Cyber Protect 15 30984+

📡 Detection & Monitoring

Log Indicators:

Unusual driver loading events
Privilege escalation attempts in Windows Security logs
Acronis service anomalies

Network Indicators:

Local inter-process communication anomalies on driver ports

SIEM Query:

EventID=4688 AND (NewProcessName LIKE '%Acronis%' OR ParentProcessName LIKE '%Acronis%') AND SubjectUserName!=SYSTEM

📊 Metadata

CVE ID: CVE-2022-45451

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: August 31, 2023

Last Updated: November 21, 2024

🔗 References

https://security-advisory.acronis.com/SEC-5487 Release Notes,Vendor Advisory
https://security-advisory.acronis.com/advisories/SEC-4858 Release Notes,Vendor Advisory
https://security-advisory.acronis.com/SEC-5487 Release Notes,Vendor Advisory
https://security-advisory.acronis.com/advisories/SEC-4858 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-45451, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Agent by Acronis

Cyber Protect by Acronis

Cyber Protect by Acronis

Cyber Protect by Acronis

Cyber Protect by Acronis

Cyber Protect by Acronis

Cyber Protect by Acronis

Cyber Protect Home Office by Acronis

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local access

Remove vulnerable software

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities