CVE-2023-48677
📋 TL;DR
This CVE describes a DLL hijacking vulnerability in Acronis Cyber Protect products for Windows that allows local attackers to escalate privileges. Attackers can place malicious DLLs in directories where the application searches for them, potentially gaining SYSTEM-level access. Affected users include those running vulnerable versions of Acronis Cyber Protect Home Office, Cyber Protect Cloud Agent, or Cyber Protect 16 on Windows systems.
💻 Affected Systems
- Acronis Cyber Protect Home Office (Windows)
- Acronis Cyber Protect Cloud Agent (Windows)
- Acronis Cyber Protect 16 (Windows)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement capabilities.
Likely Case
Local user or malware with limited privileges escalates to administrator/SYSTEM level to install additional malware, disable security controls, or access sensitive data.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
DLL hijacking vulnerabilities typically have low exploitation complexity for attackers with local access. The attacker needs write access to directories searched by the application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Cyber Protect Home Office build 40901 or later, Acronis Cyber Protect Cloud Agent build 39378 or later, Acronis Cyber Protect 16 build 39938 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-5620
Restart Required: Yes
Instructions:
1. Open Acronis Cyber Protect application. 2. Check for updates in settings/help menu. 3. Download and install available updates. 4. Restart the system as prompted. 5. Verify the version is updated to patched build.
🔧 Temporary Workarounds
Restrict write permissions to application directories
windowsPrevent unauthorized users from writing DLLs to directories where Acronis applications search for them.
icacls "C:\Program Files\Acronis\" /deny Users:(OI)(CI)W
icacls "C:\Program Files (x86)\Acronis\" /deny Users:(OI)(CI)W
Enable Windows Defender Application Control
windowsUse WDAC to restrict which DLLs can be loaded by applications.
🧯 If You Can't Patch
- Remove local user accounts with limited privileges from affected systems
- Implement strict file integrity monitoring on Acronis application directories
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect version in application settings or Control Panel > Programs and Features. Compare against vulnerable builds.Check Version:
wmic product where "name like 'Acronis%'" get name, versionVerify Fix Applied:
Verify the installed version meets or exceeds the patched build numbers: Home Office >= 40901, Cloud Agent >= 39378, Cyber Protect 16 >= 39938.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual locations
- Process Monitor logs showing Acronis processes loading DLLs from user-writable directories
- Unexpected privilege escalation events
Network Indicators:
- No network indicators as this is a local attack
SIEM Query:
EventID=4688 OR EventID=4689 AND ProcessName LIKE '%Acronis%' AND NewIntegrityLevel='System'