CVE-2025-30412 – CVE-2025-30412 allows attackers to bypass authe... (How to Fix)

Q: What is the severity of CVE-2025-30412?

CVE-2025-30412 has a CVSS score of 10.0 (CRITICAL). CVE-2025-30412 allows attackers to bypass authentication mechanisms in Acronis Cyber Protect, potentially leading to unauthorized access, sensitive data disclosure, and system manipulation. This affects Acronis Cyber Protect 16 (Linux/Windows) before build 39938 and Acronis Cyber Protect 15 (Linux/Windows) before build 41800. Organizations using these vulnerable versions are at risk of complete system compromise.

📋 TL;DR

CVE-2025-30412 allows attackers to bypass authentication mechanisms in Acronis Cyber Protect, potentially leading to unauthorized access, sensitive data disclosure, and system manipulation. This affects Acronis Cyber Protect 16 (Linux/Windows) before build 39938 and Acronis Cyber Protect 15 (Linux/Windows) before build 41800. Organizations using these vulnerable versions are at risk of complete system compromise.

💻 Affected Systems

Products:

Acronis Cyber Protect 16
Acronis Cyber Protect 15

Versions: Cyber Protect 16: all versions before build 39938; Cyber Protect 15: all versions before build 41800

Operating Systems: Linux, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with default authentication settings are vulnerable. The vulnerability affects both management console and agent components.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with administrative privileges, allowing attackers to exfiltrate all protected data, manipulate backup integrity, deploy ransomware, and maintain persistent access to the entire infrastructure.

🟠

Likely Case

Unauthorized access to sensitive backup data, potential credential theft, manipulation of backup schedules and retention policies, and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring, though the vulnerability still presents significant risk if exploited.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The CWE-1390 classification suggests weak authentication mechanisms that could be exploited without prior authentication. Given the CVSS 10.0 score, exploitation is likely straightforward once details are known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Cyber Protect 16: build 39938 or later; Cyber Protect 15: build 41800 or later

Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-8598

Restart Required: Yes

Instructions:

1. Download the latest build from Acronis support portal. 2. Backup current configuration. 3. Stop all Acronis services. 4. Install the update. 5. Restart services and verify functionality.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to Acronis management interfaces to trusted IP addresses only

# Use firewall rules to restrict access
# Example for Linux iptables:
iptables -A INPUT -p tcp --dport 9877 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 9877 -j DROP

Enhanced Authentication

all

Implement multi-factor authentication and strong password policies for all Acronis accounts

# Configure in Acronis management console:
# 1. Navigate to Settings > Security
# 2. Enable MFA for all accounts
# 3. Set minimum password length to 12 characters
# 4. Enable account lockout after 5 failed attempts

🧯 If You Can't Patch

Isolate affected systems in a dedicated VLAN with strict firewall rules
Implement comprehensive monitoring and alerting for authentication attempts and data access patterns

🔍 How to Verify

Check if Vulnerable:

Check the build number in Acronis management console under Help > About. For Cyber Protect 16, vulnerable if build < 39938. For Cyber Protect 15, vulnerable if build < 41800.

Check Version:

# Windows: Check registry or installed programs
# Linux: Check package version or run acronis-cli --version

Verify Fix Applied:

Verify build number meets minimum requirements and test authentication mechanisms. Attempt to access management interface with invalid credentials should be properly rejected.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts from unexpected IPs
Successful logins outside business hours
Multiple authentication attempts in short timeframes
Access to sensitive backup data without proper authorization

Network Indicators:

Unusual traffic patterns to Acronis management ports (default 9877)
Authentication requests from external IPs
Large data transfers from backup repositories

SIEM Query:

source="acronis*" AND (event_type="authentication_failure" OR event_type="unauthorized_access") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2025-30412

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-1390

Published: February 20, 2026

Last Updated: February 20, 2026

🔗 References

https://security-advisory.acronis.com/advisories/SEC-8598

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30412, you might also want to check these: