CVE-2026-28721
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect 17 for Windows due to improper handling of symbolic links. Attackers with local access can exploit this to gain elevated privileges on affected systems. Only Windows installations of Acronis Cyber Protect 17 before build 41186 are affected.
💻 Affected Systems
- Acronis Cyber Protect 17
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could gain SYSTEM/administrator privileges, potentially leading to complete system compromise, data theft, or installation of persistent malware.
Likely Case
Malicious local users or malware with limited privileges could escalate to administrative rights, enabling them to disable security controls, access sensitive data, or move laterally within the network.
If Mitigated
With proper access controls and limited local user privileges, the impact is reduced to unauthorized privilege escalation within the compromised user's scope.
🎯 Exploit Status
Requires local access and some technical knowledge of symbolic link attacks. No public exploit code has been disclosed as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 41186 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-8445
Restart Required: Yes
Instructions:
1. Open Acronis Cyber Protect console. 2. Check current version. 3. If below build 41186, download and install the latest update from Acronis. 4. Restart the system as prompted.
🔧 Temporary Workarounds
Restrict local user privileges
windowsLimit local user accounts to standard user privileges to reduce attack surface
Disable unnecessary local accounts
windowsRemove or disable local accounts that don't require access to the system
🧯 If You Can't Patch
- Implement strict access controls to limit who has local access to affected systems
- Monitor for privilege escalation attempts using endpoint detection and response (EDR) tools
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect version in the console or via 'wmic product where name="Acronis Cyber Protect" get version'Check Version:
wmic product where name="Acronis Cyber Protect" get versionVerify Fix Applied:
Verify version is 17.0.41186 or higher in the Acronis console📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events in Windows Security logs
- Acronis service restart failures
- Symbolic link creation in protected directories
Network Indicators:
- None - this is a local attack
SIEM Query:
EventID=4672 OR EventID=4688 with Acronis process names and privilege changes