Description
Unauthorized modification of settings due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
Published: 2026-03-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

Insufficient authorization checks allow an attacker to modify configuration settings in Acronis Cyber Protect 17 builds before 41186 on Linux and Windows. An attacker could alter security-related parameters, potentially weakening protection or creating a foothold for further compromise. The vulnerability is classified as a CWE-863 (Authorization Bypass through User‑Controlled Input).

Affected Systems

Acronis Cyber Protect 17 on Linux and Windows, any installation built before version 41186.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or remote access to the configuration interface, though the exact prerequisites are not explicitly documented; it is inferred that the attacker must gain some level of access to the protected settings subsystem.

Generated by OpenCVE AI on April 16, 2026 at 11:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Acronis Cyber Protect 17 to build 41186 or later, which contains the fix for the authorization check.
  • If an immediate upgrade is not possible, limit exposure by restricting network access to the configuration management interface, e.g., via firewall rules or segmentation.
  • Enforce stronger authentication and authorization for configuration changes, such as requiring multi‑factor authentication and logging all settings modifications for audit.

Generated by OpenCVE AI on April 16, 2026 at 11:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Insufficient Authorization Checks Allow Unauthorized Settings Modification in Acronis Cyber Protect 17

Fri, 13 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Acronis cyber Protect
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:acronis:cyber_protect:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Acronis cyber Protect
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Acronis
Acronis acronis Cyber Protect 17
Vendors & Products Acronis
Acronis acronis Cyber Protect 17

Fri, 06 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description Unauthorized modification of settings due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
Weaknesses CWE-863
References
Metrics cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Acronis Acronis Cyber Protect 17 Cyber Protect
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Acronis

Published:

Updated: 2026-03-09T16:37:05.902Z

Reserved: 2026-03-03T02:29:03.754Z

Link: CVE-2026-28720

cve-icon Vulnrichment

Updated: 2026-03-09T16:37:02.718Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T00:16:12.910

Modified: 2026-03-13T16:38:39.013

Link: CVE-2026-28720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:00:11Z

Weaknesses