CVE-2025-30408
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect products on Windows. Attackers with local access can exploit insecure folder permissions to gain elevated SYSTEM privileges. Affected users include organizations running vulnerable versions of Acronis Cyber Protect Cloud Agent or Acronis Cyber Protect 16 on Windows systems.
💻 Affected Systems
- Acronis Cyber Protect Cloud Agent (Windows)
- Acronis Cyber Protect 16 (Windows)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, credential theft, persistence establishment, and lateral movement across the network.
Likely Case
Malicious insider or malware with initial access escalates to SYSTEM privileges to disable security controls, install additional malware, or access sensitive data.
If Mitigated
With proper access controls and monitoring, exploitation attempts are detected and blocked before privilege escalation completes.
🎯 Exploit Status
Exploitation requires local access but is technically simple once access is obtained. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Cyber Protect Cloud Agent build 39904 or later, Acronis Cyber Protect 16 build 39938 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-8035
Restart Required: Yes
Instructions:
1. Update Acronis Cyber Protect Cloud Agent to build 39904 or later. 2. Update Acronis Cyber Protect 16 to build 39938 or later. 3. Restart affected systems to apply changes.
🔧 Temporary Workarounds
Restrict folder permissions
windowsManually adjust folder permissions to remove write access for non-administrative users
icacls "C:\Program Files\Acronis\" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to affected systems
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect version: For Cloud Agent, verify build number is below 39904. For Cyber Protect 16, verify build number is below 39938.Check Version:
Check Acronis Cyber Protect interface or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Acronis\CyberProtect\Agent\VersionVerify Fix Applied:
Confirm Acronis Cyber Protect Cloud Agent is build 39904 or higher, or Acronis Cyber Protect 16 is build 39938 or higher.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unexpected file/folder permission changes in Acronis directories
- Process creation events showing privilege escalation from user to SYSTEM context
Network Indicators:
- No network indicators - this is a local privilege escalation
SIEM Query:
EventID=4688 AND NewProcessName LIKE '%Acronis%' AND SubjectUserName!=SYSTEM AND TokenElevationType=%%1938