CVE-2026-28721 - Vulnerability Details

- Local Privilege Escalation through Improper Soft Link Handling in Acronis Cyber Protect 17

Description

Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186.

Published: 2026-03-05

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A local privilege escalation vulnerability exists in Acronis Cyber Protect 17 for Windows. The flaw stems from improper handling of symbolic links, allowing a local user to manipulate file paths in a way that elevates privileges. Because the vulnerability is classified as CWE‑610, it involves authorization bypass by accessing or writing to file objects that should be protected. The impact is the ability of an attacker with local access to read or modify privileged files, thereby compromising system integrity and confidentiality.

Affected Systems

Acronis Cyber Protect 17 running on Windows operating systems, specifically versions released before build 41186. No other vendors or product lines are mentioned in the CVE data.

Risk and Exploitability

The CVSS score of 7.3 places the vulnerability in the high severity range, but the EPSS score of less than 1% indicates that exploitation is unlikely in the short term. The CVE is not listed in the CISA KEV catalog, further reducing immediate threat. Attacks would require local access and the creation or manipulation of symbolic links, meaning only a user with some local privileges could exploit it. Once the flaw is leveraged, the attacker can elevate privileges within the system, potentially enabling further compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Acronis

Acronis Cyber Protect 17

unaffected

Version	Status	Constraints
`unspecified`	affected	< 41186

Configuration 1 [-]

AND

cpe:2.3:a:acronis:cyber_protect:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Acronis

Acronis Cyber Protect 17

100%

Version	Status	Scheme	Platform
`[0,41186)`	affected	generic	['Windows']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official Acronis Cyber Protect 17 update to build 41186 or newer, which removes the hard‑coded soft‑link handling flaw.
If a patch is not yet available, restrict local accounts that can create or modify symbolic links by limiting the permissions granted to the Acronis service process, thereby preventing the manipulation of link targets.
Enforce Windows local security policy hardening to implement least privilege, particularly restricting write access to directories used by Acronis, which reduces the opportunity to abuse the vulnerable functionality.

Generated by OpenCVE AI on April 17, 2026 at 12:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://security-advisory.acronis.com/advisories/SEC-8445

History

Fri, 17 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
Title		Local Privilege Escalation through Improper Soft Link Handling in Acronis Cyber Protect 17

Wed, 11 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Acronis cyber Protect Microsoft Microsoft windows
CPEs		cpe:2.3:a:acronis:cyber_protect:::::::: cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Acronis cyber Protect Microsoft Microsoft windows

Mon, 09 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Acronis Acronis acronis Cyber Protect 17
Vendors & Products		Acronis Acronis acronis Cyber Protect 17

Fri, 06 Mar 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186.
Weaknesses		CWE-610
References		https://security-advisory.acronis.com/advisories/SEC-8445
Metrics		cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Acronis Acronis Cyber Protect 17 Cyber Protect

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Acronis

Published: 2026-03-05T23:55:01.493Z

Updated: 2026-03-09T13:42:36.222Z

Reserved: 2026-03-03T02:29:03.754Z

Link: CVE-2026-28721

Vulnrichment

Updated: 2026-03-09T13:42:31.809Z

NVD

Status : Analyzed

Published: 2026-03-06T00:16:13.053

Modified: 2026-03-11T14:01:42.663

Link: CVE-2026-28721

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses

CWE-610

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object