CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-8767

CVSS 9.9v3.0pub. 2024-09-17upd. 2026-04-15

Sensitive data disclosure and manipulation due to unnecessary privileges assignment. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 619, Acronis Backup extension for Plesk (Linux) before build 555, Acronis Backup plugin for DirectAdmin (Linux) before build 147.

🤖 AI Analysis
How it works

The issue stems from improper privilege assignment (CWE-250 — Execution with Unnecessary Privileges), causing plugin components to operate with excessive system privileges. An authenticated remote attacker can exploit these privileges to gain access to sensitive data or modify it. The network attack vector with low complexity and no required user interaction makes exploitation relatively simple. The changed scope (Scope: Changed) indicates that impacts may extend beyond the directly vulnerable component.

Impact

An attacker with basic authentication level can disclose sensitive data or modify it, and potentially disrupt system availability, which in hosting environments can lead to data breach affecting multiple customers.

Mitigation & patch

Update required: Acronis Backup plugin for cPanel & WHM (Linux) to build 619 or later, Acronis Backup extension for Plesk (Linux) to build 555 or later, Acronis Backup plugin for DirectAdmin (Linux) to build 147 or later. Details available in the vendor's advisory: https://security-advisory.acronis.com/advisories/SEC-4976

Who is affected

Acronis Backup plugin for cPanel & WHM (Linux) before build 619, Acronis Backup extension for Plesk (Linux) before build 555, Acronis Backup plugin for DirectAdmin (Linux) before build 147.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References