CVE-2024-34010
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Windows products due to an unquoted search path issue. Attackers with local access can exploit this to execute arbitrary code with SYSTEM privileges. Affected users include those running vulnerable versions of Acronis Cyber Protect Cloud Agent, Acronis Cyber Protect 16, or Acronis True Image on Windows systems.
💻 Affected Systems
- Acronis Cyber Protect Cloud Agent (Windows)
- Acronis Cyber Protect 16 (Windows)
- Acronis True Image (Windows)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attackers to install persistent malware, steal credentials, or disable security controls.
Likely Case
Local attackers escalating privileges to SYSTEM to bypass security restrictions, install additional tools, or maintain persistence on compromised systems.
If Mitigated
Limited impact if proper access controls prevent local user execution or if vulnerable services aren't running with elevated privileges.
🎯 Exploit Status
Exploitation requires local access to the system. Unquoted search path vulnerabilities are well-understood and typically easy to exploit once the vulnerable service path is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Cyber Protect Cloud Agent build 37758+, Acronis Cyber Protect 16 build 38690+, Acronis True Image build 42386+
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-7110
Restart Required: Yes
Instructions:
1. Download the latest version from the Acronis website or update through the product interface. 2. Install the update following vendor instructions. 3. Restart the system to ensure all services are running with patched binaries.
🔧 Temporary Workarounds
Restrict local user access
windowsLimit local user accounts and implement least privilege principles to reduce attack surface.
Monitor service paths
windowsImplement file integrity monitoring on service executable paths and parent directories.
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized local access to affected systems
- Deploy application whitelisting to prevent execution of unauthorized binaries in service directories
🔍 How to Verify
Check if Vulnerable:
Check the installed version in Acronis product interface or Control Panel > Programs and Features. Compare against vulnerable build numbers.Check Version:
Check via Acronis product interface or PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Acronis*'} | Select-Object Name, VersionVerify Fix Applied:
Verify the installed build number meets or exceeds the patched versions: 37758 for Cyber Protect Cloud Agent, 38690 for Cyber Protect 16, 42386 for True Image.📡 Detection & Monitoring
Log Indicators:
- Unexpected service restarts
- Creation of executable files in service directories
- Process creation from unusual locations by SYSTEM account
Network Indicators:
- None - this is a local exploit
SIEM Query:
Process creation where parent process is Acronis service and command line contains unquoted paths or unusual executable locations