URGENT: Acronis Cyber Protect Critical CVE Cluster — Response Playbook
Acronis Cyber Protect — Critical Vulnerability Response Brief
Date: 2026-02-21 Severity: CRITICAL — Immediate action required Author: [Your name / Security Team]
TL;DR
On February 20, 2026, Acronis disclosed 7 vulnerabilities in Acronis Cyber Protect, including three rated CVSS 10.0 and one at 9.8. The critical flaws allow unauthenticated attackers to remotely access and manipulate sensitive data — including backups, credentials, and protected endpoints. No PoC is publicly available yet, but exploitation requires no authentication and is network-reachable. Patches are available. Patch now.
Affected Products
| Product | Platform | Vulnerable Versions | Fixed Build |
|---|---|---|---|
| Acronis Cyber Protect 16 | Linux, Windows | Before build 39938 | 39938+ (Update 4) |
| Acronis Cyber Protect 15 | Linux, Windows | Before build 41800 | 41800+ |
| Acronis Cyber Protect Cloud Agent | Linux, macOS, Windows | Before build 39870 | 39870+ (C25.03 Hotfix 2) |
CVE Summary
CVSS 10.0 — Maximum Severity
CVE-2025-30411 — Improper Authentication Sensitive data disclosure and manipulation. Authentication mechanisms fail to validate whether a user has permissions, allowing full bypass of access controls.
CVE-2025-30412 — Insufficient Authentication Same impact vector — a separate authentication bypass enabling unauthorised data access and modification.
CVE-2025-30416 — Missing Authorization Authorization checks are absent entirely. An attacker can interact with protected components without any credentials, reading or altering sensitive data at will.
CVSS Vector (all three): AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
What this means in plain terms:
- Network exploitable — no physical access needed
- Low complexity — trivial to exploit once an endpoint is found
- No privileges required — attacker needs zero credentials
- No user interaction — no phishing or social engineering needed
- Changed scope — compromise can extend beyond the vulnerable component
- Full CIA impact — confidentiality, integrity, and availability all compromised
CVSS 9.8
CVE-2025-30410 — Missing Authentication (Cloud Agent) The Cloud Agent variant. Same fundamental issue — certain functions process requests without verifying identity. Affects the agent installed on endpoints.
Lower Severity (still patch)
| CVE | CVSS | Issue |
|---|---|---|
| CVE-2025-48961 | 7.3 | Privilege escalation via insecure folder permissions (Windows) |
| CVE-2025-48960 | 5.9 | Weak TLS server key (multi-platform) |
| CVE-2025-48962 | 4.3 | SSRF enabling information theft (macOS) |
Immediate Actions
1. Identify Exposure (Today)
- Inventory all Acronis Cyber Protect instances — servers, cloud agents, endpoints
- Check current build numbers against the fixed versions above
- Identify any internet-facing Acronis management consoles or API endpoints
- Check firewall/WAF logs for unusual traffic to Acronis service ports
2. Patch (Within 24-48 hours)
- Apply Acronis Cyber Protect 16 Update 4 (build 39938+)
- Apply Acronis Cyber Protect Cloud Agent C25.03 Hotfix 2 (build 39870+)
- If running Cyber Protect 15, update to build 41800+
- Verify build numbers post-update on a sample of hosts
3. Mitigate If Patching Is Delayed
- Restrict network access to Acronis management interfaces — internal only, no public exposure
- Implement WAF rules to block unauthenticated requests to Acronis API endpoints
- Enable enhanced logging on Acronis services and forward to SIEM
- Consider temporarily isolating Acronis management servers from general network segments
4. Detect Potential Compromise
- Review Acronis service logs for anomalous unauthenticated access patterns
- Check for unexpected changes to backup configurations or policies
- Look for data exfiltration indicators — unusual outbound traffic from Acronis hosts
- Audit user accounts and permissions for unauthorized modifications
- Check backup integrity — verify recent backups haven't been tampered with
5. Communicate
- Notify infrastructure/ops teams of required patching window
- Brief management on risk: unauthenticated remote data access, CVSS 10.0
- If you are a federal agency (FCEB): monitor for CISA KEV catalog addition — this will trigger mandatory remediation deadlines under BOD 22-01
- Document response timeline for compliance/audit trail
Risk Context
Why this matters beyond the score:
Acronis Cyber Protect manages backups and endpoint protection. A compromise here doesn't just expose the Acronis server — it potentially gives an attacker access to backup data for every protected system, the ability to modify backup policies (disable backups before a ransomware attack), and agent-level access to endpoints. This is a force multiplier for any threat actor.
No public PoC yet — but with three independently disclosed CVSS 10.0 authentication bypasses, the attack surface is broad and the barrier to exploitation is low. Expect weaponisation soon.
References
- BeyondMachines Advisory Summary
- CVE-2025-30411 Detail
- CISA KEV Catalog — check for additions
- Acronis Security Advisory Database
- CVSS Calculator:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H= 10.0
Brief prepared 2026-02-21. Review and update as new information becomes available. Check for CISA KEV addition and public PoC status daily until fully patched.