Distilled Context
Acronis Cyber Protect CVE Cluster — Distilled Context
Summary
On Feb 20, 2026, Acronis disclosed 7 vulnerabilities in Cyber Protect. Three are CVSS 10.0, one is 9.8. All critical flaws allow unauthenticated remote access to sensitive data. No public PoC yet. Patches available.
Critical CVEs
| CVE | CVSS | Flaw | CWE |
|---|---|---|---|
| CVE-2025-30411 | 10.0 | Improper Authentication | Authentication bypass → data disclosure + manipulation |
| CVE-2025-30412 | 10.0 | Insufficient Authentication | Same vector, separate auth failure |
| CVE-2025-30416 | 10.0 | Missing Authorization | No authorization check at all on protected components |
| CVE-2025-30410 | 9.8 | Missing Authentication (Cloud Agent) | Agent-level unauthenticated access |
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Translation: network-exploitable, trivial complexity, zero credentials needed, no user interaction, full CIA impact with changed scope.
Affected Products & Fix Versions
- Cyber Protect 16 (Linux, Windows): vulnerable before build 39938 → apply Update 4
- Cyber Protect 15 (Linux, Windows): vulnerable before build 41800
- Cloud Agent (Linux, macOS, Windows): vulnerable before build 39870 → apply C25.03 Hotfix 2
Lower Severity (same disclosure)
- CVE-2025-48961 (7.3): Privilege escalation, insecure folder permissions, Windows only
- CVE-2025-48960 (5.9): Weak TLS server key, multi-platform
- CVE-2025-48962 (4.3): SSRF, macOS only
Why This Matters
Acronis Cyber Protect manages backups and endpoint protection. Compromising it gives attackers access to backup data for all protected systems, ability to modify/disable backup policies (pre-ransomware prep), and agent-level endpoint access. This is a force multiplier.
Key Dates
- 2025-03-21: CVE reserved
- 2026-02-20: Public disclosure
- Patches available: ~1 month prior to disclosure (Update 4 / Hotfix 2)
- CISA KEV: Not yet listed — monitor daily