CVE-2026-28727
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on macOS systems by exploiting insecure Unix socket permissions in Acronis Cyber Protect products. It affects Acronis Cyber Protect 17 and Acronis Cyber Protect Cloud Agent on macOS. Attackers with local access can gain root privileges.
💻 Affected Systems
- Acronis Cyber Protect 17
- Acronis Cyber Protect Cloud Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges, compromising the entire macOS system and all data/processes.
Likely Case
Local user or malware escalates to root to install persistent backdoors, steal credentials, or bypass security controls.
If Mitigated
Limited impact if proper access controls restrict local user accounts and monitoring detects privilege escalation attempts.
🎯 Exploit Status
Exploitation requires local access but is straightforward once access is obtained. No public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Cyber Protect 17 build 41186+, Acronis Cyber Protect Cloud Agent build 41124+
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-9408
Restart Required: Yes
Instructions:
1. Update Acronis Cyber Protect 17 to build 41186 or later. 2. Update Acronis Cyber Protect Cloud Agent to build 41124 or later. 3. Restart the system to ensure changes take effect.
🔧 Temporary Workarounds
Restrict local user access
allLimit local user accounts to trusted personnel only and implement strict access controls.
Monitor for privilege escalation
allDeploy endpoint detection to alert on suspicious privilege escalation attempts.
🧯 If You Can't Patch
- Uninstall affected Acronis products if not essential.
- Implement strict local user controls and monitor for unauthorized access.
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect version in application settings or via terminal: /Applications/Acronis\ Cyber\ Protect\ 17.app/Contents/MacOS/acronis_agent --versionCheck Version:
/Applications/Acronis\ Cyber\ Protect\ 17.app/Contents/MacOS/acronis_agent --versionVerify Fix Applied:
Verify version is 41186+ for Cyber Protect 17 or 41124+ for Cloud Agent, and check Unix socket permissions are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events in system logs
- Acronis process spawning with root privileges from non-root users
Network Indicators:
- None - this is a local exploit
SIEM Query:
source="macos_system_logs" AND (event="privilege_escalation" OR process="acronis" AND user!="root")