CVE-2024-49389 – This vulnerability allows local attackers to es... (How to Fix)

Q: What is the severity of CVE-2024-49389?

CVE-2024-49389 has a CVSS score of 7.8 (HIGH). This vulnerability allows local attackers to escalate privileges on Windows systems by exploiting insecure folder permissions in Acronis Cyber Files. Attackers with local access can write malicious files to system directories, potentially gaining SYSTEM-level privileges. Only Windows installations of Acronis Cyber Files before build 9.0.0x24 are affected.

📋 TL;DR

This vulnerability allows local attackers to escalate privileges on Windows systems by exploiting insecure folder permissions in Acronis Cyber Files. Attackers with local access can write malicious files to system directories, potentially gaining SYSTEM-level privileges. Only Windows installations of Acronis Cyber Files before build 9.0.0x24 are affected.

💻 Affected Systems

Products:

Acronis Cyber Files

Versions: All versions before build 9.0.0x24

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations. Linux/macOS versions are not vulnerable.

📦 What is this software?

Cyber Files by Acronis

View all CVEs affecting Cyber Files →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement capabilities.

🟠

Likely Case

Local user or malware with basic privileges escalates to administrative/SYSTEM privileges to install additional malware, disable security controls, or access sensitive data.

🟢

If Mitigated

With proper access controls and monitoring, impact limited to isolated system compromise that can be detected and contained.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local system access, not remotely exploitable.

🏢 Internal Only: HIGH - Any compromised user account or malware with local execution can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires local access and basic user privileges. Exploitation involves writing files to insecurely configured directories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Build 9.0.0x24 or later

Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-5319

Restart Required: Yes

Instructions:

1. Download latest version from Acronis portal. 2. Run installer as administrator. 3. Follow installation prompts. 4. Restart system when prompted.

🔧 Temporary Workarounds

Restrict folder permissions

windows

Manually adjust permissions on vulnerable Acronis directories to prevent unauthorized writes

icacls "C:\Program Files\Acronis\Cyber Files\" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)(W)"

🧯 If You Can't Patch

Remove Acronis Cyber Files from critical systems until patched
Implement strict access controls and monitor for suspicious file writes in Acronis directories

🔍 How to Verify

Check if Vulnerable:

Check Acronis Cyber Files version in Control Panel > Programs and Features. If version is earlier than 9.0.0x24, system is vulnerable.

Check Version:

wmic product where name="Acronis Cyber Files" get version

Verify Fix Applied:

Verify version shows 9.0.0x24 or later in Programs and Features, and check folder permissions on Acronis directories.

📡 Detection & Monitoring

Log Indicators:

Unexpected file writes to Acronis program directories
Process creation from Acronis directories by non-privileged users
Permission changes on Acronis folders

Network Indicators:

No network indicators - local exploitation only

SIEM Query:

EventID=4688 AND (NewProcessName contains "Acronis" OR ProcessCommandLine contains "Acronis") AND SubjectUserName NOT IN ("SYSTEM", "Administrator")

📊 Metadata

CVE ID: CVE-2024-49389

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

Published: October 17, 2024

Last Updated: October 18, 2024

🔗 References

https://security-advisory.acronis.com/advisories/SEC-5319 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49389, you might also want to check these: