CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-28710

CVSS 9.8v3.1pub. 2026-03-06upd. 2026-03-12

Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-1390 (Improper Authentication) means that the identity verification mechanism in the application is improperly implemented or bypassed in certain cases. An attacker can send appropriately crafted network requests without providing valid authentication credentials and still gain access to protected resources or perform unauthorized operations. The attack vector is network-based, and the attack does not require any special conditions or privileges on the attacker's side.

Impact

An attacker can gain unauthorized access to sensitive data processed by Acronis Cyber Protect and perform unauthorized modifications, threatening the confidentiality, integrity, and availability of protected resources.

Mitigation & patch

Acronis Cyber Protect 17 should be updated to build 41186 or newer. Detailed information is available in the official security bulletin from the vendor at: https://security-advisory.acronis.com/advisories/SEC-9137

Who is affected

Acronis Cyber Protect 17 on Linux and Windows systems in versions prior to build 41186.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Acronis Cyber Protect

    APP
    Acronis
    < 17.0.41186
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2024-7262CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit