CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-30411

CVSS 10.0v3.0pub. 2026-02-20upd. 2026-03-12

Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.

🤖 AI Analysis
How it works

The vulnerability stems from insufficient or improperly implemented authentication procedures in Acronis Cyber Protect. An attacker can remotely bypass access control mechanisms without possessing an account or permissions. As a result, it is possible to read and modify protected data processed by the software. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C) indicates that the attack is possible over the network, with low complexity and without any prerequisites on the attacker's side.

Impact

An attacker can gain unauthorized access to sensitive data (confidentiality) and modify it (integrity), and may potentially disrupt system availability — all from the network level, without any authentication.

Mitigation & patch

Acronis Cyber Protect 16 must be updated immediately to build 39938 or newer, and Acronis Cyber Protect 15 to build 41800 or newer. Details are available in the official producer security bulletin: https://security-advisory.acronis.com/advisories/SEC-8768

Who is affected

Acronis Cyber Protect 16 (Linux, Windows) in versions before build 39938 and Acronis Cyber Protect 15 (Linux, Windows) in versions before build 41800.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Acronis Cyber Protect

    APP
    Acronis
    1516
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2024-7262CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit