CVE-2026-28717
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on Windows systems running Acronis Cyber Protect 17 due to improper directory permissions. Attackers with local access can exploit weak permissions to gain elevated system privileges. Only Acronis Cyber Protect 17 installations on Windows before build 41186 are affected.
💻 Affected Systems
- Acronis Cyber Protect 17
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM/administrator privileges, enabling complete system compromise, data theft, malware persistence, and lateral movement.
Likely Case
Malicious insider or compromised user account escalates to administrative privileges to install malware, steal sensitive data, or disable security controls.
If Mitigated
With proper access controls and monitoring, impact limited to isolated system requiring attacker to already have local access.
🎯 Exploit Status
Directory permission vulnerabilities typically have low exploitation complexity once the vulnerable directory is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 41186 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-8363
Restart Required: Yes
Instructions:
1. Open Acronis Cyber Protect 17. 2. Check for updates in the application. 3. Apply update to build 41186 or later. 4. Restart the system as prompted.
🔧 Temporary Workarounds
Restrict directory permissions
windowsManually adjust permissions on vulnerable Acronis directories to restrict write access to authorized users only.
icacls "C:\Program Files\Acronis\*" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX" /T
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit local user permissions
- Enable detailed auditing of file system permission changes and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect 17 version in application or via 'wmic product where name="Acronis Cyber Protect" get version' and verify if below 41186.Check Version:
wmic product where name="Acronis Cyber Protect" get versionVerify Fix Applied:
Confirm version is 41186 or higher and verify directory permissions are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Windows Security event logs showing privilege escalation (event ID 4672)
- Unexpected process creation with SYSTEM privileges from user accounts
- File permission modification events on Acronis directories
Network Indicators:
- None - this is a local exploit
SIEM Query:
EventID=4672 AND SubjectUserName!=SYSTEM AND NewProcessName contains "cmd.exe" OR "powershell.exe"