CVE-2025-24828
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect Cloud Agent for Windows. Attackers can exploit DLL hijacking to execute arbitrary code with elevated privileges. Only Windows systems running vulnerable versions of the Acronis agent are affected.
💻 Affected Systems
- Acronis Cyber Protect Cloud Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access can gain SYSTEM-level privileges, potentially compromising the entire Windows host and accessing sensitive data or deploying persistent malware.
Likely Case
Malicious users or malware with initial foothold can escalate privileges to install additional payloads, disable security controls, or move laterally within the network.
If Mitigated
With proper endpoint security controls and least privilege principles, exploitation would be limited to specific user contexts rather than full SYSTEM compromise.
🎯 Exploit Status
DLL hijacking vulnerabilities typically have low exploitation complexity once an attacker gains initial access to the system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 39378 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-7842
Restart Required: Yes
Instructions:
1. Update Acronis Cyber Protect Cloud Agent to build 39378 or later. 2. Restart the system to ensure the updated agent loads properly. 3. Verify the agent is running the patched version.
🔧 Temporary Workarounds
Restrict DLL search path permissions
windowsSet restrictive permissions on directories where the Acronis agent searches for DLLs to prevent unauthorized DLL placement
icacls "C:\Program Files\Acronis\" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
Enable DLL Safe Search Mode
windowsConfigure Windows to use Safe DLL Search Mode which searches system directories first
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Implement strict file system permissions to prevent unauthorized users from writing to directories where Acronis searches for DLLs.
- Deploy application whitelisting solutions to prevent execution of unauthorized DLLs in Acronis directories.
🔍 How to Verify
Check if Vulnerable:
Check the Acronis agent version in Control Panel > Programs and Features or run 'wmic product get name,version' and look for Acronis Cyber Protect Cloud Agent version lower than build 39378.Check Version:
wmic product where "name like '%Acronis Cyber Protect Cloud Agent%'" get versionVerify Fix Applied:
Verify the agent version shows build 39378 or higher and test that the agent functions normally after update.📡 Detection & Monitoring
Log Indicators:
- Unusual DLL loading from non-standard locations in Windows Event Logs (Event ID 7)
- Acronis agent process loading DLLs from user-writable directories
Network Indicators:
- No direct network indicators as this is a local privilege escalation
SIEM Query:
EventID=7 AND ProcessName="*acronis*" AND ImageLoaded="*.dll" AND NOT ImageLoaded="*system32*" AND NOT ImageLoaded="*program files*acronis*"