CVE-2025-11790
📋 TL;DR
Acronis Cyber Protect Cloud Agent fails to delete credentials after plan revocation, leaving authentication data accessible. This affects all platforms (Linux, macOS, Windows) running vulnerable versions. Attackers could potentially access these credentials to compromise systems.
💻 Affected Systems
- Acronis Cyber Protect Cloud Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Stored credentials are used to gain unauthorized access to backup systems, potentially leading to data exfiltration, ransomware deployment, or system compromise.
Likely Case
Local attackers or malware could harvest credentials for lateral movement within the environment or to access backup data.
If Mitigated
With proper network segmentation and access controls, impact is limited to credential exposure on individual systems.
🎯 Exploit Status
Exploitation requires local access to read credential files; no authentication bypass needed once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 41124 or later
Vendor Advisory: https://security-advisory.acronis.com/SEC-8658
Restart Required: Yes
Instructions:
1. Update Acronis Cyber Protect Cloud Agent to build 41124 or later. 2. Restart the agent service. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Manual credential cleanup
allManually remove stored credentials after plan revocation
# Location varies by OS - check Acronis documentation for credential storage paths
# Remove credential files after confirming plan revocation
🧯 If You Can't Patch
- Implement strict access controls to limit who can access systems running Acronis Agent
- Monitor credential storage locations for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check Acronis Agent version: if below build 41124, system is vulnerable. Also check if credentials remain after plan revocation.Check Version:
# Windows: Check Acronis Agent version in Control Panel or Services
# Linux/macOS: Check agent version via package manager or agent status commandVerify Fix Applied:
After updating to build 41124+, verify credentials are properly deleted during plan revocation process.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts using old credentials
- Unauthorized access to backup systems
- Unexpected credential file access
Network Indicators:
- Unusual outbound connections from Acronis Agent systems
- Traffic to backup systems from unexpected sources
SIEM Query:
source="acronis-agent" AND (event_type="credential_access" OR event_type="authentication_failure")