Acronis Cyber Protect: Several security vulnerabilities, some of them critical
In the backup software Acronis Cyber Protect, the manufacturer has patched several security vulnerabilities, some of which are highly critical.
(Image: Sashkin/Shutterstock.com)
The manufacturer has discovered several security vulnerabilities, some of them highly critical, in the comprehensive virus protection and backup software Acronis Cyber Protect. The developers are patching these with updated software.
Attackers can use the vulnerabilities to access and manipulate confidential data or extend their rights in the system. Three vulnerabilities represent the worst-case scenario and achieve the maximum score of CVSS 10 out of 10 possible “points”. Acronis does not provide any details, only a brief description. On the one hand, attackers can read and modify sensitive data due to insufficient authentication (CVE-2025-30411 / no EUVD yet, CVSS 10.0, risk “critical”). The same effect has a missing authorization (CVE-2025-30416 / no EUVD yet, CVSS 10.0, risk “critical”) as well as another insufficient authentication (CVE-2025-30412 / no EUVD yet, CVSS 10.0, risk “critical”). The vulnerabilities affect Acronis Cyber Protect 16 for Linux and Windows before build number 39938.
Further vulnerabilities in Acronis software
Due to a further lack of authentication, unauthorized access and potential manipulation of sensitive data is possible not only in the older Acronis Cyber Protect 16 builds mentioned above, but also in the Acronis Cyber Protect Cloud Agent for Linux, macOS, and Windows before build 39870 (CVE-2025-30410 / no EUVD, CVSS 9.8, risk “critical”). There is also a vulnerability in Acronis Cyber Protect 16 for Windows before build 39938 that allows attackers to escalate their privileges in the system due to insecure folder permissions (CVE-2025-48961 / EUVD-2025-16875, CVSS 7.3, risk “high”).
Videos by heise
Acronis Cyber Protect 16 for Linux, macOS, and Windows also uses a weak server key for TLS encryption before build 39938 (CVE-2025-48960 / EUVD-2025-16874, CVSS 5.9, risk “medium”). In addition to macOS, attackers can also misuse server-side request forgery (SSRF) to steal sensitive information (CVE-2025-48962 / EUVD-2025-16876, CVSS 4.3, “medium” risk).
Updates have been available for about a month in the form of Acronis Cyber Protect 16 Update 4 for Linux, macOS, and Windows and Acronis Cyber Protect Cloud Agent Update C25.03 Hotfix 2. Anyone using Acronis should install the updates quickly to minimize the attack surface.
Security vulnerabilities in Acronis software are of interest to cyber criminals. In the middle of last year, they attacked a vulnerability for injecting and executing malicious code in Acronis Cyber Infrastructure.
(dmk)
