CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-30412

CVSS 10.0v3.0pub. 2026-02-20upd. 2026-03-12

Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.

🤖 AI Analysis
How it works

The error lies in the improper implementation of the authentication mechanism in the Acronis Cyber Protect product. A remote attacker, without possessing any privileges or requiring user interaction, can bypass required identity verification controls. As a result, they gain unauthorized access to protected system resources and the ability to modify them, with the scope of the attack extending beyond the directly vulnerable component (Scope: Changed).

Impact

An attacker can obtain unauthorized access to sensitive data processed by the backup and protection system (full confidentiality, integrity, and availability threatened at critical level), as well as manipulate or disrupt the operation of protected environments.

Mitigation & patch

Acronis Cyber Protect 16 should be updated to build 39938 or newer and Acronis Cyber Protect 15 to build 41800 or newer as soon as possible. Detailed information is available in the official vendor security bulletin: https://security-advisory.acronis.com/advisories/SEC-8598

Who is affected

Acronis Cyber Protect 16 (Linux, Windows) in builds prior to 39938 and Acronis Cyber Protect 15 (Linux, Windows) in builds prior to 41800.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Acronis Cyber Protect

    APP
    Acronis
    1516
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2024-7262CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit