CVE-2026-28722
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Cyber Protect 17 for Windows due to improper handling of symbolic links. An attacker with local access can exploit this to gain elevated SYSTEM privileges. Only Windows installations of Acronis Cyber Protect 17 before build 41186 are affected.
💻 Affected Systems
- Acronis Cyber Protect 17
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access gains full SYSTEM privileges, allowing complete compromise of the Windows host, installation of persistent malware, credential theft, and lateral movement.
Likely Case
Malicious insider or malware with local execution capabilities escalates to SYSTEM privileges to disable security controls, establish persistence, or access protected resources.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
Requires local access to the system. Symbolic link vulnerabilities typically have low exploitation complexity once the technique is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 41186 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-8481
Restart Required: Yes
Instructions:
1. Download Acronis Cyber Protect 17 build 41186 or later from the Acronis portal. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Restrict local access
windowsLimit local interactive logon to only necessary administrative users
Disable vulnerable component
windowsIf Acronis Cyber Protect is not essential, consider uninstalling it until patched
appwiz.cpl
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit who can log on locally
- Deploy application control/whitelisting to prevent unauthorized process execution
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect version in Control Panel > Programs and Features. If version is earlier than build 41186, the system is vulnerable.Check Version:
wmic product where "name like 'Acronis Cyber Protect%'" get versionVerify Fix Applied:
Verify the installed version shows build 41186 or higher in Programs and Features.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from Acronis directories with SYSTEM privileges
- Failed privilege escalation attempts in Windows Security logs
Network Indicators:
- None - this is a local exploit
SIEM Query:
EventID=4688 AND NewProcessName CONTAINS 'acronis' AND SubjectUserName!=SYSTEM AND TokenElevationType=%%1938