Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.
The error lies in the improper implementation of the authentication mechanism in the Acronis Cyber Protect product. A remote attacker, without possessing any privileges or requiring user interaction, can bypass required identity verification controls. As a result, they gain unauthorized access to protected system resources and the ability to modify them, with the scope of the attack extending beyond the directly vulnerable component (Scope: Changed).
An attacker can obtain unauthorized access to sensitive data processed by the backup and protection system (full confidentiality, integrity, and availability threatened at critical level), as well as manipulate or disrupt the operation of protected environments.
Acronis Cyber Protect 16 should be updated to build 39938 or newer and Acronis Cyber Protect 15 to build 41800 or newer as soon as possible. Detailed information is available in the official vendor security bulletin: https://security-advisory.acronis.com/advisories/SEC-8598
Acronis Cyber Protect 16 (Linux, Windows) in builds prior to 39938 and Acronis Cyber Protect 15 (Linux, Windows) in builds prior to 41800.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HAcronis Cyber Protect
APPAcronis1516Linux Kernel
OSLinuxwszystkie wersjeMicrosoft Windows
OSMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit