Description
Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183.
Published: 2026-04-29
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This issue is an improper input validation flaw that allows a local user to gain elevated privileges. The vulnerability is classified under CWE‑787, indicating a buffer overflow or out‑of‑bounds write condition. If successfully exploited, an attacker who is already authenticated on the target machine could execute arbitrary actions with higher permissions, compromising integrity and confidentiality of the system and any data managed by the affected applications.

Affected Systems

Acronis DeviceLock DLP for Windows prior to build 9.0.93212 and Acronis Cyber Protect Cloud Agent for Windows prior to build 42183 are affected. The flaw is present in Windows installations of these products that have not yet been updated to the specified build numbers.

Risk and Exploitability

The CVSS score of 7.8 indicates a high‑severity vulnerability, while the EPSS score is not available and the flaw is not listed in CISA KEV. The likely attack vector is local, requiring the attacker to have access to the machine where the vulnerable application runs. Once accessed, the flaw can be triggered by providing malformed input that leads to the out‑of‑bounds write, granting the attacker escalated privileges.

Generated by OpenCVE AI on April 29, 2026 at 16:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Acronis DeviceLock DLP to build 9.0.93212 or newer.
  • Upgrade Acronis Cyber Protect Cloud Agent to build 42183 or newer.
  • Limit local administrator privileges and review user accounts to remove unnecessary privileges as a temporary measure.

Generated by OpenCVE AI on April 29, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Title Improper Input Validation Allowing Local Privilege Escalation in Acronis DeviceLock DLP and Cyber Protect Cloud Agent

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Description Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183.
Weaknesses CWE-787
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Acronis

Published:

Updated: 2026-04-29T15:41:49.160Z

Reserved: 2026-04-27T10:37:25.460Z

Link: CVE-2026-41220

cve-icon Vulnrichment

Updated: 2026-04-29T15:41:35.294Z

cve-icon NVD

Status : Received

Published: 2026-04-29T15:16:05.950

Modified: 2026-04-29T15:16:05.950

Link: CVE-2026-41220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:00:13Z

Weaknesses