CVE-2025-24826
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Snap Deploy for Windows due to insecure folder permissions. Attackers with local access can exploit this to gain elevated SYSTEM privileges. Only Windows systems running vulnerable versions of Acronis Snap Deploy are affected.
💻 Affected Systems
- Acronis Snap Deploy
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement capabilities.
Likely Case
Malicious users or malware with initial foothold escalate privileges to bypass security controls, install additional malware, or access sensitive data.
If Mitigated
With proper access controls and least privilege principles, impact is limited to specific service disruption rather than full system compromise.
🎯 Exploit Status
Exploitation requires local access but is likely straightforward once folder permissions are identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 4625 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-6436
Restart Required: Yes
Instructions:
1. Download Acronis Snap Deploy build 4625 or later from official Acronis sources. 2. Run the installer to update the software. 3. Restart the system to ensure all changes take effect.
🔧 Temporary Workarounds
Restrict folder permissions
windowsManually adjust folder permissions to remove write access for non-administrative users
icacls "C:\Program Files\Acronis\SnapDeploy\" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"
🧯 If You Can't Patch
- Remove Acronis Snap Deploy from critical systems if not essential
- Implement strict access controls and monitor for unauthorized privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Acronis Snap Deploy version in Control Panel > Programs and Features or run 'wmic product where name="Acronis Snap Deploy" get version'Check Version:
wmic product where name="Acronis Snap Deploy" get versionVerify Fix Applied:
Verify version is 4625 or higher using same commands, and check folder permissions on Acronis installation directory📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4672 (Special privileges assigned to new logon)
- Unexpected process creation with SYSTEM privileges from user accounts
- File permission changes in Acronis installation directories
Network Indicators:
- None - this is a local privilege escalation
SIEM Query:
EventID=4672 AND SubjectUserName NOT IN ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")