CVE-2026-28713
📋 TL;DR
This vulnerability involves default credentials for a local privileged user in Acronis Cyber Protect virtual appliances. Attackers can gain administrative access to affected VMware-based appliances, potentially compromising the entire system. Organizations using Acronis Cyber Protect Cloud Agent or Acronis Cyber Protect 17 on VMware are affected.
💻 Affected Systems
- Acronis Cyber Protect Cloud Agent (VMware)
- Acronis Cyber Protect 17 (VMware)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to steal sensitive data, deploy ransomware, pivot to other systems, or disrupt backup operations.
Likely Case
Unauthorized administrative access leading to data exfiltration, configuration changes, or installation of persistent backdoors.
If Mitigated
Limited impact if strong network segmentation, monitoring, and credential rotation are implemented.
🎯 Exploit Status
Exploitation requires only knowledge of default credentials, which may be documented or easily guessed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Cyber Protect Cloud Agent build 36943+, Acronis Cyber Protect 17 build 41186+
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-4168
Restart Required: Yes
Instructions:
1. Download latest build from Acronis portal. 2. Deploy update through management console. 3. Restart affected virtual appliances. 4. Verify default credentials are no longer present.
🔧 Temporary Workarounds
Change Default Credentials
linuxManually change default local privileged user credentials on all affected appliances.
ssh admin@<appliance-ip>
passwd
Enter new password when prompted
Network Segmentation
linuxRestrict network access to appliances using firewall rules.
iptables -A INPUT -s <trusted-networks> -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
🧯 If You Can't Patch
- Immediately change all default credentials on affected appliances
- Implement strict network access controls and monitor authentication logs
🔍 How to Verify
Check if Vulnerable:
Check appliance build version via management console or SSH with 'acronis-version' command.Check Version:
ssh admin@<appliance-ip> 'acronis-version'Verify Fix Applied:
Attempt SSH login with known default credentials - should fail. Verify build version is 36943+ (Cloud Agent) or 41186+ (Cyber Protect 17).📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful login
- Multiple SSH login attempts from unusual sources
- Authentication logs showing default username usage
Network Indicators:
- SSH connections to appliance from unauthorized IPs
- Unusual outbound traffic patterns from appliance
SIEM Query:
source="auth.log" (username="admin" OR username="root") AND event="Accepted password"