Local privilege escalation due to insecure driver communication port permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40278, Acronis Agent (Windows) before build 31637, Acronis Cyber Protect 15 (Windows) before build 35979.
Weakness
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Agent | Acronis | * | c23.02 (excluding) |
| Cyber_protect | Acronis | 15 (including) | 15 (including) |
| Cyber_protect | Acronis | 15-update1 (including) | 15-update1 (including) |
| Cyber_protect | Acronis | 15-update2 (including) | 15-update2 (including) |
| Cyber_protect | Acronis | 15-update3 (including) | 15-update3 (including) |
| Cyber_protect | Acronis | 15-update4 (including) | 15-update4 (including) |
| Cyber_protect | Acronis | 15-update5 (including) | 15-update5 (including) |
| Cyber_protect_home_office | Acronis | - (including) | - (including) |
| Cyber_protect_home_office | Acronis | 39900 (including) | 39900 (including) |
| Cyber_protect_home_office | Acronis | 40107 (including) | 40107 (including) |
| Cyber_protect_home_office | Acronis | 40173 (including) | 40173 (including) |
| Cyber_protect_home_office | Acronis | 40208 (including) | 40208 (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/233.html
- https://cwe.mitre.org/data/definitions/58.html