Listen to this Post
CVE-2025-30412 is a critical vulnerability residing in the authentication mechanism of Acronis Cyber Protect versions 15 and 16 on both Linux and Windows platforms . It is classified under CWE-1390, which refers to a “Weak Authentication” flaw . This vulnerability stems from an improper authentication process, meaning the software fails to correctly verify the identity of a user or system attempting to access its resources . An unauthenticated remote attacker can exploit this by sending specially crafted requests to the affected application, bypassing the intended login or access controls entirely . Because the attack vector is network-based and requires low complexity, no privileges, and no user interaction, it is highly accessible to attackers . Successful exploitation leads to the disclosure of sensitive data managed by the backup solution, such as system configurations and backup archives, as well as the unauthorized manipulation or corruption of that data . The scope of the impact is changed, meaning the compromise can affect resources beyond the vulnerable component, potentially allowing an attacker to take full control of the backup infrastructure and use it as a foothold for further network penetration .
Platform: Acronis Cyber Protect
Version: before builds 39938/41800
Vulnerability : Improper Authentication
Severity: CRITICAL (10.0)
date: 2026-02-19
Prediction: Patches released June 2025
What Undercode Say:
Analytics
The vulnerability affects two major versions of Acronis Cyber Protect (15 and 16) across two operating systems (Linux and Windows) . The attack surface is significant as it requires no authentication and can be triggered over a network . The presence of this flaw in backup software is particularly dangerous, as attackers often target backup infrastructure to disable recovery options before deploying ransomware. The CVSS 10.0 score indicates maximum severity, and given the widespread enterprise use of Acronis, the potential for impact is high.
Bash commands and codes related to the blog
To check your Acronis Cyber Protect build version on a Linux system, you can often use the package manager or check the installed files directly. The exact command may vary based on the installation method.
Example: Check Acronis package version on Linux (Debian/Ubuntu)
dpkg -l | grep acronis
Example: Check Acronis package version on Linux (RPM-based)
rpm -qa | grep acronis
Example: A more direct method might involve checking a specific binary
/usr/sbin/acronis-cyber-protect --version
On Windows, you would typically check via:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "Acronis"} | Select-Object Name, Version
Or more simply via the GUI: Control Panel -> Programs and Features.
Note: These are illustrative examples. The exact command should be confirmed in Acronis’s official documentation. The secure versions are build 39938 for version 16 and build 41800 for version 15 .
How Exploit:
- Step 1: The attacker identifies a network-accessible Acronis Cyber Protect management interface or service on a vulnerable build .
- Step 2: The attacker crafts a malicious network request designed to exploit the improper authentication logic, targeting specific API endpoints or functions that should require a login .
- Step 3: The request is sent to the target server. Due to the vulnerability (CWE-1390), the server processes the request without validating the attacker’s identity .
- Step 4: The server returns sensitive data (like backup lists, configurations, or credentials) or allows the attacker to modify settings and data .
Protection from this CVE
- Immediate Patching: Update Acronis Cyber Protect 16 to build 39938 or later, and Acronis Cyber Protect 15 to build 41800 or later .
- Network Segmentation: Isolate the Acronis management console and agents on a secure, separate network segment, accessible only to trusted administrators via a VPN .
- Strict Access Controls: Implement firewall rules to restrict access to the Acronis services from only authorized administrative workstations .
- Multi-Factor Authentication: If supported by the Acronis version (or surrounding infrastructure), enforce MFA for all access to management interfaces .
- Monitor Logs: Vigilantly monitor Acronis and system logs for any suspicious activity, such as unexpected access or configuration changes .
Impact
A successful exploit of CVE-2025-30412 can lead to a complete compromise of the backup system . Attackers can exfiltrate sensitive corporate data, including customer information and intellectual property, found in backups. By manipulating or corrupting backup data and configurations, they can render backups unusable, crippling disaster recovery efforts and enabling destructive ransomware attacks. The integrity of the entire backup infrastructure is undermined, turning a primary security control into a liability and causing significant operational and financial damage .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

