CVE-2023-45248
📋 TL;DR
This CVE describes a DLL hijacking vulnerability in Acronis Cyber Protect products on Windows that allows local attackers to escalate privileges. An authenticated user could place a malicious DLL in a specific location to execute code with higher privileges. Affected users include those running vulnerable versions of Acronis Cyber Protect Cloud Agent or Acronis Cyber Protect 16 on Windows systems.
💻 Affected Systems
- Acronis Cyber Protect Cloud Agent (Windows)
- Acronis Cyber Protect 16 (Windows)
📦 What is this software?
Agent by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM/administrator privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Authenticated user escalates to higher privileges, potentially installing malware, accessing sensitive data, or bypassing security controls.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated systems with minimal data exposure.
🎯 Exploit Status
Requires authenticated access to place malicious DLL in specific directory. DLL hijacking is a well-known technique with established exploitation patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Cyber Protect Cloud Agent build 36497 or later, Acronis Cyber Protect 16 build 37391 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-6052
Restart Required: Yes
Instructions:
1. Download latest version from Acronis portal. 2. Run installer with administrative privileges. 3. Restart affected systems. 4. Verify successful update.
🔧 Temporary Workarounds
Restrict DLL write permissions
windowsSet restrictive permissions on directories where Acronis loads DLLs to prevent unauthorized writes.
icacls "C:\Program Files\Acronis\*" /deny Users:(OI)(CI)W
icacls "C:\Program Files (x86)\Acronis\*" /deny Users:(OI)(CI)W
Enable DLL Safe Search Mode
windowsConfigure Windows to search for DLLs only in secure locations.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "SafeDllSearchMode" -Value 1
🧯 If You Can't Patch
- Implement strict access controls to limit who can log into affected systems.
- Monitor for suspicious DLL creation/modification in Acronis directories using file integrity monitoring.
🔍 How to Verify
Check if Vulnerable:
Check Acronis agent version in Control Panel > Programs and Features or via 'acronis_agent.exe --version' command.Check Version:
acronis_agent.exe --versionVerify Fix Applied:
Verify version is at or above build 36497 (Cloud Agent) or 37391 (Cyber Protect 16). Check that no unauthorized DLLs exist in Acronis directories.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loads from Acronis processes
- File creation/modification in Acronis program directories by non-administrative users
- Process creation with parent Acronis processes
Network Indicators:
- None - local exploitation only
SIEM Query:
EventID=4663 OR EventID=4656 AND ObjectName LIKE '%Acronis%' AND Accesses LIKE '%WRITE_DAC%' OR '%WRITE_OWNER%'