CVE-2022-45454
📋 TL;DR
This vulnerability allows local users to access sensitive information due to insecure folder permissions in Acronis products on Windows. It affects Acronis Agent and Acronis Cyber Protect 15 installations where folder permissions are improperly configured, potentially exposing credentials, configuration files, or other sensitive data.
💻 Affected Systems
- Acronis Agent (Windows)
- Acronis Cyber Protect 15 (Windows)
📦 What is this software?
Agent by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Attackers with local access could steal administrative credentials, configuration secrets, or backup encryption keys, leading to complete system compromise or data breach.
Likely Case
Local users or malware could access sensitive configuration files containing service credentials or system information that could be used for privilege escalation.
If Mitigated
With proper access controls and least privilege principles, impact is limited to non-sensitive information or prevented entirely.
🎯 Exploit Status
Exploitation requires local access to the system. Attack involves checking folder permissions and accessing files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Agent build 30161 or later, Acronis Cyber Protect 15 build 30984 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-4379
Restart Required: Yes
Instructions:
1. Download latest version from Acronis portal. 2. Run installer with administrative privileges. 3. Restart affected systems. 4. Verify folder permissions are corrected.
🔧 Temporary Workarounds
Manual Folder Permission Correction
windowsManually adjust folder permissions to restrict access to authorized users only.
icacls "C:\ProgramData\Acronis\" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /T
🧯 If You Can't Patch
- Implement strict access controls and monitor folder permission changes.
- Restrict local user access to systems running vulnerable Acronis software.
🔍 How to Verify
Check if Vulnerable:
Check Acronis version via Control Panel > Programs and Features, or run 'wmic product where name like "%Acronis%" get version' in command prompt.Check Version:
wmic product where name like "%Acronis%" get versionVerify Fix Applied:
Verify version is at or above patched builds, and check folder permissions on Acronis directories using 'icacls' command.📡 Detection & Monitoring
Log Indicators:
- Unexpected access to Acronis program data folders
- Permission change events on Acronis directories
Network Indicators:
- None - local vulnerability only
SIEM Query:
EventID=4663 AND ObjectName LIKE "%Acronis%" AND AccessMask=0x100