Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.
Missing required authorization controls in Acronis Cyber Protect components allow any network attacker access to protected resources or operations without having proper permissions. An attacker can send requests to vulnerable system endpoints without authentication, gaining access to data or the ability to modify it. The vulnerability is remotely accessible over the network (AV:N), requires no privileges (PR:N) or user interaction (UI:N), and its impact extends beyond the system boundary (S:C).
An attacker can gain unauthorized access to sensitive data processed by the backup and protection system (e.g., credentials, configurations, protected machine data) and perform unauthorized modifications, which may lead to compromised backup integrity and complete loss of data confidentiality.
Acronis Cyber Protect 16 must be immediately updated to build 39938 or newer, and Acronis Cyber Protect 15 to build 41800 or newer. Details are available in the vendor's security guide: https://security-advisory.acronis.com/advisories/SEC-8766
Acronis Cyber Protect 16 (Linux, Windows) prior to build 39938 and Acronis Cyber Protect 15 (Linux, Windows) prior to build 41800.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HAcronis Cyber Protect
APPAcronis1516Linux Kernel
OSLinuxwszystkie wersjeMicrosoft Windows
OSMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit