CVE-2025-48961
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect 16 for Windows due to insecure folder permissions. An attacker with local access can exploit improper permissions to gain elevated SYSTEM privileges. Only Windows installations of Acronis Cyber Protect 16 before build 39938 are affected.
💻 Affected Systems
- Acronis Cyber Protect 16
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement.
Likely Case
Malicious local user or malware with initial foothold escalates to SYSTEM to disable security controls, install backdoors, or access protected data.
If Mitigated
With proper access controls and least privilege principles, impact is limited to authorized users only.
🎯 Exploit Status
Exploitation requires local access but is likely straightforward once folder permissions are identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 39938 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-8000
Restart Required: Yes
Instructions:
1. Download Acronis Cyber Protect 16 build 39938 or later from official Acronis portal. 2. Run the installer with administrative privileges. 3. Follow installation wizard. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Restrict folder permissions
windowsManually adjust vulnerable folder permissions to remove write access for non-administrative users
icacls "C:\Program Files\Acronis\CyberProtect\" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
🧯 If You Can't Patch
- Implement strict access controls and least privilege principles for all user accounts
- Monitor for suspicious privilege escalation attempts using endpoint detection tools
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect version in Control Panel > Programs and Features. If version is earlier than build 39938, system is vulnerable.Check Version:
wmic product where name="Acronis Cyber Protect" get versionVerify Fix Applied:
Verify version shows build 39938 or later in Control Panel > Programs and Features.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4672 (Special privileges assigned to new logon)
- Unexpected SYSTEM privilege usage from user accounts
- File permission changes in Acronis installation directory
Network Indicators:
- None - this is a local privilege escalation
SIEM Query:
EventID=4672 AND SubjectUserName NOT IN ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")