CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-30416

CVSS 10.0v3.0pub. 2026-02-20upd. 2026-03-12

Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.

🤖 AI Analysis
How it works

Missing required authorization controls in Acronis Cyber Protect components allow any network attacker access to protected resources or operations without having proper permissions. An attacker can send requests to vulnerable system endpoints without authentication, gaining access to data or the ability to modify it. The vulnerability is remotely accessible over the network (AV:N), requires no privileges (PR:N) or user interaction (UI:N), and its impact extends beyond the system boundary (S:C).

Impact

An attacker can gain unauthorized access to sensitive data processed by the backup and protection system (e.g., credentials, configurations, protected machine data) and perform unauthorized modifications, which may lead to compromised backup integrity and complete loss of data confidentiality.

Mitigation & patch

Acronis Cyber Protect 16 must be immediately updated to build 39938 or newer, and Acronis Cyber Protect 15 to build 41800 or newer. Details are available in the vendor's security guide: https://security-advisory.acronis.com/advisories/SEC-8766

Who is affected

Acronis Cyber Protect 16 (Linux, Windows) prior to build 39938 and Acronis Cyber Protect 15 (Linux, Windows) prior to build 41800.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Acronis Cyber Protect

    APP
    Acronis
    1516
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2024-7262CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit