Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.
The vulnerability stems from insufficient or improperly implemented authentication procedures in Acronis Cyber Protect. An attacker can remotely bypass access control mechanisms without possessing an account or permissions. As a result, it is possible to read and modify protected data processed by the software. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C) indicates that the attack is possible over the network, with low complexity and without any prerequisites on the attacker's side.
An attacker can gain unauthorized access to sensitive data (confidentiality) and modify it (integrity), and may potentially disrupt system availability — all from the network level, without any authentication.
Acronis Cyber Protect 16 must be updated immediately to build 39938 or newer, and Acronis Cyber Protect 15 to build 41800 or newer. Details are available in the official producer security bulletin: https://security-advisory.acronis.com/advisories/SEC-8768
Acronis Cyber Protect 16 (Linux, Windows) in versions before build 39938 and Acronis Cyber Protect 15 (Linux, Windows) in versions before build 41800.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HAcronis Cyber Protect
APPAcronis1516Linux Kernel
OSLinuxwszystkie wersjeMicrosoft Windows
OSMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit