CVE-2023-45249
📋 TL;DR
CVE-2023-45249 allows remote attackers to execute arbitrary commands on affected Acronis Cyber Infrastructure systems due to the use of default passwords. This vulnerability affects multiple versions of Acronis Cyber Infrastructure before specific builds. Organizations running vulnerable versions are at risk of complete system compromise.
💻 Affected Systems
- Acronis Cyber Infrastructure (ACI)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with administrative privileges, data theft, ransomware deployment, and lateral movement across the network.
Likely Case
Remote command execution leading to data exfiltration, installation of backdoors, or cryptomining malware.
If Mitigated
Limited impact if systems are isolated, monitored, and have strong network segmentation.
🎯 Exploit Status
Exploitation has been observed in the wild according to security advisories. Attackers can exploit this without authentication using default credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, or 5.4.4-132 depending on your version
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-6452
Restart Required: Yes
Instructions:
1. Identify your current ACI version. 2. Download the appropriate patched build from Acronis. 3. Apply the update following Acronis documentation. 4. Restart the ACI services or system as required.
🔧 Temporary Workarounds
Change Default Passwords
allImmediately change all default passwords and credentials on ACI systems.
Use Acronis management interface to change administrative passwords
Network Isolation
linuxRestrict network access to ACI systems using firewalls.
iptables -A INPUT -p tcp --dport [ACI_PORTS] -s [TRUSTED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [ACI_PORTS] -j DROP
🧯 If You Can't Patch
- Immediately isolate affected systems from the internet and untrusted networks
- Implement strict network segmentation and monitor all traffic to/from ACI systems
🔍 How to Verify
Check if Vulnerable:
Check your ACI build version via the management interface or CLI. If it's older than the patched builds listed, you are vulnerable.Check Version:
Check via Acronis management console or run 'acli version' on the ACI systemVerify Fix Applied:
Confirm the build version matches or exceeds the patched versions: 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, or 5.4.4-132.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful logins from unexpected IPs
- Unusual command execution in system logs
- Changes to user accounts or passwords
Network Indicators:
- Unexpected outbound connections from ACI systems
- Traffic to known malicious IPs or domains
- Unusual port scanning originating from ACI systems
SIEM Query:
source="acronis_logs" AND (event_type="authentication" AND result="success" AND user="default") OR (process_execution AND parent_process="acronis_service")🔗 References
- https://security-advisory.acronis.com/advisories/SEC-6452
- https://www.securityweek.com/acronis-product-vulnerability-exploited-in-the-wild/
- https://security-advisory.acronis.com/advisories/SEC-6452
- https://www.securityweek.com/acronis-product-vulnerability-exploited-in-the-wild/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-45249
