CVE-2024-55543
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect 16 for Windows due to DLL hijacking. Attackers with local access can exploit this to execute arbitrary code with SYSTEM privileges. Only Windows installations of Acronis Cyber Protect 16 before build 39169 are affected.
💻 Affected Systems
- Acronis Cyber Protect 16
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise where an attacker gains SYSTEM privileges, potentially installing persistent malware, accessing all data, and controlling the entire system.
Likely Case
Local attackers escalate privileges from standard user to administrator/SYSTEM level to bypass security controls, install unauthorized software, or access protected resources.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated systems where attackers already have local access but cannot pivot to other systems.
🎯 Exploit Status
Requires local access and ability to place malicious DLL in specific directory. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 39169 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-6418
Restart Required: No
Instructions:
1. Open Acronis Cyber Protect 16. 2. Navigate to Help > About. 3. Check current build number. 4. If below 39169, download and install the latest update from Acronis portal. 5. Verify installation completes successfully.
🔧 Temporary Workarounds
Restrict DLL search path permissions
WindowsSet restrictive permissions on directories where Acronis searches for DLLs to prevent unauthorized DLL placement
icacls "C:\Program Files\Acronis\*" /deny Everyone:(OI)(CI)(WD,AD)
🧯 If You Can't Patch
- Implement strict access controls to limit local user privileges on affected systems
- Monitor for suspicious DLL loading events and file creation in Acronis directories
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect 16 build number via Help > About in the application interfaceCheck Version:
wmic product where "name like 'Acronis Cyber Protect%'" get versionVerify Fix Applied:
Confirm build number is 39169 or higher after update installation📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual locations
- Acronis application logs showing abnormal startup behavior
Network Indicators:
- No network indicators - this is a local exploit
SIEM Query:
EventID=7 AND (ImagePath:*Acronis* OR ProcessName:*Acronis*) AND (FileName:*.dll)