CVE-2025-24830
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect Cloud Agent for Windows. Attackers can exploit DLL hijacking to execute arbitrary code with elevated privileges. Only Windows systems running vulnerable versions of the Acronis agent are affected.
💻 Affected Systems
- Acronis Cyber Protect Cloud Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise where an attacker gains SYSTEM privileges, installs persistent malware, accesses sensitive data, and moves laterally across the network.
Likely Case
Local attackers escalate privileges from standard user to administrator/SYSTEM level to bypass security controls and install additional malicious software.
If Mitigated
Limited impact if proper endpoint protection, application whitelisting, and least privilege principles are enforced, though local privilege escalation remains possible.
🎯 Exploit Status
DLL hijacking vulnerabilities typically have low exploitation complexity but require local access and ability to place malicious DLLs in specific directories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 39378 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-7829
Restart Required: Yes
Instructions:
1. Update Acronis Cyber Protect Cloud Agent to build 39378 or later. 2. Restart the system to ensure the updated agent loads properly. 3. Verify the update was successful using the verification steps below.
🔧 Temporary Workarounds
Restrict DLL search path permissions
windowsSet restrictive permissions on directories where the Acronis agent searches for DLLs to prevent unauthorized DLL placement
icacls "C:\Program Files\Acronis\" /deny Everyone:(OI)(CI)(W)
Enable DLL Safe Search Mode
windowsConfigure Windows to use Safe DLL Search Mode which searches system directories first
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized DLLs
- Enforce least privilege principles and restrict standard users from writing to program directories
🔍 How to Verify
Check if Vulnerable:
Check Acronis agent version: Open Acronis Management Console or check installed programs for version/build numberCheck Version:
wmic product where "name like 'Acronis%'" get versionVerify Fix Applied:
Verify agent version is 39378 or higher and test DLL loading behavior from non-system directories📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loads from non-system directories in Acronis process logs
- Windows Event ID 4688 showing Acronis processes loading DLLs from unusual locations
Network Indicators:
- No direct network indicators as this is local exploitation
SIEM Query:
EventID=4688 AND ProcessName="*Acronis*" AND (NewProcessName="*.dll" OR CommandLine="*.dll")