Description
Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186.
Published: 2026-03-05
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper handling of symbolic links, allowing a local attacker to gain higher privileges on the affected system. This flaw can elevate a low‑privilege user to an administrator or system account, compromising confidentiality, integrity, and availability of the Acronis Cyber Protect installation. The weakness is classified as CWE‑610.

Affected Systems

The flaw affects the Acronis Cyber Protect 17 product for Windows systems, specifically versions built before 41186. Any Windows installation of this product that has not reached the specified build is susceptible.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity, yet the EPSS score of less than 1% suggests a very low likelihood of exploitation at the present time. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local, requiring the attacker to have access to the target machine’s user environment to craft or manipulate symbolic links that the software ingests.

Generated by OpenCVE AI on April 16, 2026 at 11:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Acronis Cyber Protect product to build 41186 or later to obtain the vendor patch addressing the soft link handling flaw.
  • If the upgrade is not immediately possible, apply any available hotfix or service pack released by Acronis that contains the update for this vulnerability.
  • Restrict local user accounts from creating or modifying symbolic links and limit file system write permissions to minimize the opportunity for the flaw to be triggered.

Generated by OpenCVE AI on April 16, 2026 at 11:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Improper Symbolic Link Handling Enables Local Privilege Escalation in Acronis Cyber Protect 17

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Acronis cyber Protect
Microsoft
Microsoft windows
CPEs cpe:2.3:a:acronis:cyber_protect:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Acronis cyber Protect
Microsoft
Microsoft windows

Mon, 09 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Acronis
Acronis acronis Cyber Protect 17
Vendors & Products Acronis
Acronis acronis Cyber Protect 17

Fri, 06 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186.
Weaknesses CWE-610
References
Metrics cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Acronis Acronis Cyber Protect 17 Cyber Protect
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Acronis

Published:

Updated: 2026-03-09T13:42:05.038Z

Reserved: 2026-03-03T02:29:03.754Z

Link: CVE-2026-28722

cve-icon Vulnrichment

Updated: 2026-03-09T13:42:00.687Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T00:16:13.200

Modified: 2026-03-11T14:01:48.917

Link: CVE-2026-28722

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:00:11Z

Weaknesses