Acronis True Image software on Windows can be abused from an unprivileged user to gain elevated local privileges through a DLL hijacking flaw. The weakness allows an attacker to place a malicious DLL in a directory that precedes the legitimate DLL in the search path, causing the application to load the attacker-controlled code. The result is that the attacker can execute arbitrary code with the same privileges as the application, which typically run with administrative rights, leading to full system compromise.

Affected products include Acronis True Image for Windows and its OEM, SanDisk, and Western Digital editions. The vulnerability exists in builds before 42386 for the standard product, before 42636 for the Western Digital version, before 42679 for the SanDisk version, and before 42575 for the OEM edition.

The CVSS score of 7.3 indicates a high severity local privilege escalation risk, while the EPSS score of less than 1% suggests that widespread exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access to the machine and the ability to place a DLL in a directory that the application scans before its installed location, which may be feasible in environments where unprivileged users have write permissions to temporary or program directories. Once executed, the attacker immediately gains elevated rights, posing an immediate threat to system confidentiality, integrity, and availability.