Security updates for Acronis products available

Acronis published software updates fixing security vulnerabilities in several products. Acronis has overall issued security advisories for a total of twelve vulnerabilities across multiple products. Users should check whether the products used are already up to date.

Of the twelve security advisories, four address vulnerabilities rated as a high risk, seven deal with vulnerabilities rated as a medium threat, and one alert addresses a security vulnerability rated as a low risk.

The Windows versions Acronis Cyber Protect 15 Update 6, Cyber Protect Home Office Build 40278 and Agent Update C23.02, which have now been available for three to seven months, close the most serious gap. This and newer versions patch a leak due to insecure privileges of a driver communication port that allows attackers to escalate their privileges (CVE-2023-41743, CVSS 8.8, risk high). Due to insufficient filtering of submitted data, malicious actors can inject commands into Acronis Cloud Manager for Windows prior to build 6.2.23089.203 (CVE-2023-41746, CVSS 8.0, high).

Extending the rights in the system was also possible because Acronis Cyber Protect 15 before Update 6 and the agent before 22.10 loaded unsigned libraries under macOS, which allows attackers to inject their own code with higher rights (CVE-2023-41744, CVSS 7.8, high). During installation, Cyber Protect Home Office for Windows prior to build 40278 incorrectly handled soft links, which also allowed escalation of privileges in the system (CVE-2022-46869, CVSS 7.3, high).

The developers have fixed other less risky vulnerabilities with the versions Acronis Cyber Protect 15 for Linux, macOS and Windows) Build 35979 and Acronis Agent for Linux, macOS and Windows) Build 35433.

Details regarding the list of vulnerabilities can be found in the according security advisories.

If you are still using older versions of the software, you should immediately download and install the updated versions that are available.