The vulnerability arises from an improper configuration of the headless browser component in Acronis Cyber Protect 17, enabling internal data to be accessed or transmitted beyond its intended boundary. As a result, confidential information such as configuration details or authentication data can be exposed, directly compromising confidentiality of the affected environment. The flaw specifically targets the headless browser’s misconfigured permissions. When an attacker can influence the browser’s request handling, they may retrieve sensitive payloads that are normally protected. The damage is limited to information disclosure; there is no evidence of code execution or denial of service. Acronis Cyber Protect 17 users on both Linux and Windows platforms running builds before 41186 are impacted. The CVSS base score of 5.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, and while the exact attack vector is inferred to involve exploitation of local or compromised accounts interacting with the headless browser, no direct remote exploitation path has been documented.

Affected systems include Acronis Cyber Protect 17 on Linux and Windows. The vulnerable builds are any versions prior to build 41186. No other product versions are currently known to be impacted.

The CVSS base score of 5.5 signals moderate severity, while the EPSS score of less than 1% indicates a low probability of exploitation. The exploit does not appear in the CISA KEV catalog. The vulnerability is likely to be abused by an attacker who has local or compromised access to the system and can interact with the headless browser component; no direct remote exploitation path has been documented. The flaw permits the leakage of confidential data but does not grant code execution, escalation of privilege, or denial of service.