CVE-2025-9578
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect Cloud Agent for Windows due to insecure folder permissions. Attackers with local access can exploit this to gain SYSTEM-level privileges. Only Windows installations of Acronis Cyber Protect Cloud Agent before build 40734 are affected.
💻 Affected Systems
- Acronis Cyber Protect Cloud Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local user access can gain SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement capabilities.
Likely Case
Malicious local users or malware with user-level access can escalate to SYSTEM privileges to disable security controls, install additional malware, or access protected system resources.
If Mitigated
With proper access controls and least privilege principles, the impact is limited as attackers would need valid local credentials and the ability to execute code on the system.
🎯 Exploit Status
Exploitation requires local access to the system. The CWE-732 (Incorrect Permission Assignment for Critical Resource) suggests folder permission misconfiguration that can be leveraged by local users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 40734 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-9107
Restart Required: Yes
Instructions:
1. Open Acronis Cyber Protect Cloud Agent. 2. Check for updates in the agent interface. 3. Update to build 40734 or later. 4. Restart the system to ensure changes take effect.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local user access to systems running vulnerable Acronis agents to reduce attack surface.
Review Folder Permissions
windowsManually review and tighten permissions on Acronis installation folders to prevent unauthorized write access.
icacls "C:\Program Files\Acronis\" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /T
🧯 If You Can't Patch
- Implement strict access controls to limit which users can log into systems with vulnerable Acronis agents
- Monitor for suspicious privilege escalation attempts and file permission changes in Acronis directories
🔍 How to Verify
Check if Vulnerable:
Check the Acronis Cyber Protect Cloud Agent version in the application interface or via Windows Programs and Features. If version is earlier than build 40734, the system is vulnerable.Check Version:
wmic product where "name like 'Acronis Cyber Protect Cloud Agent%'" get versionVerify Fix Applied:
Verify the agent version shows build 40734 or later after updating. Check that Acronis services are running normally.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unexpected privilege escalation
- Acronis agent logs showing permission errors or unauthorized access attempts
- Security logs with event IDs related to process creation with SYSTEM privileges from user accounts
Network Indicators:
- No network indicators as this is a local privilege escalation
SIEM Query:
EventID=4688 AND NewProcessName LIKE '%acronis%' AND SubjectUserName != 'SYSTEM' AND TokenElevationType != '%%1936'