CVE-2024-55540
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect 16 for Windows due to DLL hijacking. Attackers with local access can exploit this to execute arbitrary code with SYSTEM privileges. Only Windows installations of Acronis Cyber Protect 16 before build 39169 are affected.
💻 Affected Systems
- Acronis Cyber Protect 16
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access gains full SYSTEM privileges, allowing complete compromise of the Windows system, installation of malware, credential theft, and persistence mechanisms.
Likely Case
Malicious local users or malware with limited privileges escalate to SYSTEM to bypass security controls, disable security software, or access protected resources.
If Mitigated
With proper access controls and monitoring, exploitation attempts can be detected and blocked before privilege escalation occurs.
🎯 Exploit Status
Requires local access and ability to place malicious DLL in specific directory. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 39169 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-2245
Restart Required: No
Instructions:
1. Open Acronis Cyber Protect 16 console. 2. Navigate to Settings > Updates. 3. Check for and apply available updates. 4. Verify installation is now at build 39169 or higher.
🔧 Temporary Workarounds
Restrict DLL search path permissions
windowsSet restrictive permissions on directories where Acronis Cyber Protect searches for DLLs to prevent unauthorized DLL placement.
icacls "C:\Program Files\Acronis\CyberProtect\" /deny *S-1-1-0:(OI)(CI)(DE,DC)
🧯 If You Can't Patch
- Implement strict access controls to limit local user privileges on affected systems.
- Monitor for suspicious DLL loading events using Windows Event Logs or EDR solutions.
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect version in the console under Settings > About. If build number is lower than 39169, the system is vulnerable.Check Version:
wmic product where name="Acronis Cyber Protect" get versionVerify Fix Applied:
Verify the build number is 39169 or higher in Settings > About after applying the update.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 showing Acronis processes loading DLLs from unusual locations
- Acronis application logs showing unexpected DLL loading errors
Network Indicators:
- No network indicators - this is a local attack
SIEM Query:
EventID=4688 AND ProcessName LIKE "%Acronis%" AND CommandLine LIKE "%.dll%"