CVE-2026-28712
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect 17 for Windows due to DLL hijacking. Attackers with local access can exploit improper DLL loading to execute arbitrary code with SYSTEM privileges. Only Windows installations of Acronis Cyber Protect 17 before build 41186 are affected.
💻 Affected Systems
- Acronis Cyber Protect 17
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement capabilities.
Likely Case
Malicious insider or malware with initial foothold escalates privileges to install additional payloads, disable security controls, or access sensitive system resources.
If Mitigated
With proper access controls and least privilege principles, impact is limited to the compromised user account's permissions.
🎯 Exploit Status
DLL hijacking vulnerabilities typically have low exploitation complexity once the vulnerable DLL path is identified. Requires local access to plant malicious DLL.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 41186 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-2332
Restart Required: Yes
Instructions:
1. Download latest Acronis Cyber Protect 17 update from official Acronis portal. 2. Run installer with administrative privileges. 3. Restart system when prompted. 4. Verify build version is 41186 or higher.
🔧 Temporary Workarounds
Restrict write permissions to application directories
windowsPrevent users from writing to Acronis installation directories to block DLL planting.
icacls "C:\Program Files\Acronis\" /deny Users:(OI)(CI)W
Enable DLL Safe Search Mode
windowsConfigure Windows to search for DLLs only in secure locations.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit local user permissions
- Monitor for suspicious DLL loading events and file creation in Acronis directories
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect version in Control Panel > Programs and Features. If version is earlier than build 41186, system is vulnerable.Check Version:
wmic product where "name like 'Acronis Cyber Protect%'" get versionVerify Fix Applied:
Verify build number is 41186 or higher in Acronis Cyber Protect interface or Windows Programs and Features.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4663 (File system access) showing unauthorized writes to Acronis directories
- Sysmon Event ID 11 (FileCreate) for DLL files in Acronis paths
Network Indicators:
- No network indicators - this is a local attack
SIEM Query:
source="windows" AND (event_id=4663 OR event_id=11) AND (file_path="*Acronis*" AND file_name="*.dll")