01 · The Real Story
This is a master-key flaw on a backup admin console, but usually behind your own front door
CVE-2026-28710 is an improper-authentication flaw in Acronis Cyber Protect 17 on Linux and Windows before build 41186. The exposed component is the management plane: Acronis documents the management server as the central component and says its web UI and REST API are served on TCP 9877, with agents talking to the server over 7780. If an attacker can reach that console and successfully trigger the auth weakness, the impact is ugly: backup administration data and protected-environment state can be read or manipulated.
The raw vendor/NVD story overstates urgency for most enterprises. NVD later enriched it to 9.8 CRITICAL on 2026-03-12, but the CNA entry from Acronis on 2026-03-05/06 scored it 8.1 HIGH with AC:H, which lines up better with reality. This is still a serious backup-infrastructure issue, but the reachable population is narrower than a true internet-facing mass-exploitation bug: these servers are commonly on-prem, often internal-only, sometimes even offline/air-gapped, there is no KEV listing, no public PoC found, and the supplied EPSS 0.00132 points to low near-term exploitation pressure.
"Bad if exposed, but this is usually an internal backup console bug, not an internet-scale fire drill."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Find a reachable Acronis management server
The attacker first needs network reachability to the Acronis management plane, typically the HTTPS web console / REST API on
:9877. In practice this is done with commodity tooling like httpx, nmap, or a custom nuclei fingerprint aimed at the login surface and Acronis response patterns.Conditions required:
- Target runs Acronis Cyber Protect 17 before build 41186
- Management server is deployed and reachable from the attacker's network position
- Attacker can talk to TCP 9877 or another published management endpoint
Where this breaks in practice:
- Acronis positions this as an on-prem management server product, not a public SaaS-only edge service
- Many enterprises keep backup/admin planes on internal networks or separate management VLANs
- Internet exposure is far lower than for VPNs, mail gateways, or remote support appliances
Detection/coverage: External exposure is easy to inventory with ASM,
nmap, or custom nuclei checks. Vulnerability scanners can usually flag version/build, but exploit-specific detection is limited because the vendor has not published protocol-level IOCs.STEP 02
Probe the authentication weakness
The attacker then tests the console's authentication flow with
Burp Suite, curl, or a bespoke script to identify the improper-authentication condition. Based on the CNA score's AC:H, exploitation likely depends on a specific sequence, state, or request pattern rather than a one-packet bypass.Conditions required:
- Attacker can interact directly with the console/API
- The vulnerable auth path is enabled in the deployed build
- Attacker understands the request flow well enough to reproduce the bypass
Where this breaks in practice:
- No public proof-of-concept was found in open sources
- CISA ADP metadata marks exploitation as
noneand automatable asno - Acronis has not published the root-cause mechanics, so exploit development burden is non-trivial
Detection/coverage: WAFs and reverse proxies may log anomalous auth requests if the console is fronted by them, but many deployments expose the service directly on an internal segment. Expect low signature coverage until exploit details become public.
STEP 03
Operate as an unauthorized console user
Once the auth weakness is triggered, the attacker can act through the same management interface administrators use. Tooling is just the product's own API surface plus browser automation or API calls, which makes malicious actions blend into ordinary console traffic unless you monitor for impossible admin behavior.
Conditions required:
- Authentication bypass succeeds
- The vulnerable account/session scope grants access to management functions or sensitive data
Where this breaks in practice:
- Blast radius depends on what that console instance manages: one server, one site, or many workloads
- Role scoping and network segmentation can contain follow-on movement even after console compromise
Detection/coverage: Look for new sessions from unusual source IPs, API use outside maintenance windows, backup-plan changes, retention changes, repository settings changes, and suspicious restore/export activity in Acronis audit logs and reverse-proxy logs.
STEP 04
Manipulate backup and recovery posture
The real damage is not just data viewing; it's tampering with the recovery system itself. An attacker can alter jobs, retention, destinations, or other management settings to weaken resilience before or during a broader intrusion, turning your backup platform into a sabotage point.
Conditions required:
- Compromised console has permissions over backup policies, repositories, or managed workloads
- Defender lacks secondary approval or strong change monitoring on backup administration
Where this breaks in practice:
- If the server manages only a small scope, the enterprise-wide blast radius is limited
- Immutable/offline copies and separate admin controls reduce the worst-case outcome
- Out-of-band monitoring may catch destructive plan changes before recovery assets are lost
Detection/coverage: Coverage is mostly behavioral: SIEM alerts on plan edits, repository deregistration, mass disablement of jobs, unexpected restore/export actions, and admin logins from non-management jump hosts.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No confirmed active exploitation found in public authoritative sources reviewed. CISA ADP metadata for this CVE records exploitation as none. |
|---|---|
| KEV status | Not listed in the CISA KEV catalog as of this assessment. |
| Proof-of-concept availability | No public PoC located in open-source searches. CERT Santé explicitly notes no open-source proof of concept available at publication. |
| EPSS | Provided EPSS is 0.00132 (~0.132% 30-day exploitation probability). That is low and argues against panic patching *solely* on exploit-likelihood grounds. |
| CVSS story | There is a scoring split: Acronis CNA scored 8.1 HIGH with AC:H, while NVD later enriched it to 9.8 CRITICAL with AC:L. For risk triage, the vendor's AC:H matches the lack of PoC/KEV better. |
| Affected versions | Acronis Cyber Protect 17 on Linux and Windows before build 41186. |
| Fixed version | Upgrade to Acronis Cyber Protect 17 build 41186 or later. Acronis release notes show build 41186 as the security-fix baseline, with later builds like 41224, 41676, and 42054 superseding it. |
| Exposure precondition | Acronis documents the management server as exposing TCP 9877 for the web UI and REST API and 7780 for agent/server messaging. That means this is only remotely reachable where the management plane is exposed to the attacker. |
| Deployment reality | Acronis positions Cyber Protect 17 as an on-premises deployment product and explicitly supports offline management-server activation workflows. That strongly suggests many real deployments are not broadly internet-exposed. |
| Disclosure timeline | CVE record published by Acronis on 2026-03-05/06; NVD enrichment adding its own 9.8 score landed on 2026-03-12. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to HIGH (7.6/10)
The decisive factor is attacker reachability to a backup management console that is usually internal-only, not a broadly exposed edge service. If your Acronis server is externally reachable this becomes much more urgent locally, but at enterprise scale the reachable population and lack of exploitation evidence keep it out of the CRITICAL bucket.
HIGH Affected product, versions, and fixed build
MEDIUM Assessment that real-world exposure is usually limited to internal/admin networks
MEDIUM Assessment that exploitation is non-trivial due to absent PoC and CNA `AC:H`
Why this verdict
- Start from the vendor/CNA baseline, not the later NVD inflation: Acronis scored this 8.1 HIGH with
AC:H, while NVD later raised it to 9.8 on 2026-03-12. The lack of public exploit detail supports the higher-complexity interpretation. - Reachability pressure pushes down: exploitation requires unauthenticated remote access to the Acronis management plane. That implies the attacker must already be on an internal/admin network in many enterprises, or you must have made a bad exposure decision by publishing the console externally.
- Population exposed is narrower than edge appliances: backup management servers are widely deployed but not widely internet-exposed. This sharply reduces internet-scale wormability and opportunistic scanning value.
- Modern controls can stop step 1: NGFW policy, management-network segmentation, VPN/jump-host requirements, and external attack-surface management should keep
:9877off hostile networks. A true CRITICAL internet fire drill usually lacks this much environmental friction. - Threat intel pressure is low: no KEV, no public PoC found, and EPSS 0.00132 all pull downward. That does not make the bug safe; it makes it a serious infrastructure patch, not an immediate internet-wide emergency.
- Blast radius pushes back up: when reachable and exploitable, this hits a backup/control plane, which is disproportionately important. Manipulation of backup policy and recovery posture is exactly how intruders turn an ordinary compromise into a resilience failure.
Why not higher?
It is not CRITICAL because the attack path has compounding friction: a reachable management console, an auth weakness the CNA itself scored as high complexity, and no public exploitation evidence. The product's deployment model is usually internal/admin-plane, which is a very different reality from an internet-edge appliance with active mass scanning.
Why not lower?
It is not MEDIUM because the potential impact sits on top of backup and recovery administration, not a low-value leaf service. Even without KEV, unauthorized access to a backup management server can directly undermine containment and recovery across many hosts, so this deserves a strong infrastructure-priority response.
05 · Compensating Control
What to do — in priority order.
- Restrict console reachability — Put Acronis management interfaces behind VPN/jump-host access and allowlist only admin subnets for TCP 9877 and related management ports. Do this within 30 days to meet the HIGH noisgate mitigation window, faster if the service is currently internet-exposed.
- Hunt for exposed servers — Use ASM, firewall object search, and port scans to find any Acronis management servers reachable from untrusted networks. Exposure is the key severity amplifier here, so remove it within 30 days.
- Monitor backup-admin changes — Alert on console logins from non-management hosts, policy/retention changes, repository changes, and unexpected restore/export activity. This does not fix the flaw, but it shortens dwell time while you work the patch inside the 30-day mitigation window.
- Enforce admin-plane segmentation — Keep backup infrastructure on a dedicated management network with tight east-west ACLs so an ordinary workstation compromise cannot immediately reach the console. Treat this as a compensating barrier to deploy within 30 days.
- Validate immutable or offline copies — Because the likely impact is backup sabotage, verify that recovery copies and out-of-band backups remain intact and administratively separate. This reduces blast radius while patching and should be checked within 30 days.
What doesn't work
- Endpoint AV on protected workloads alone does not solve this, because the vulnerable surface is the management server's auth path, not the endpoint agent.
- MFA on your VPN helps only if the server is behind that VPN. It does nothing if
:9877is directly exposed or reachable from already-compromised internal segments. - Version-agnostic web scanning is weak here; without product-aware checks it may find the login page but miss the vulnerable build or the auth edge case.
06 · Verification
Crowdsourced verification payload.
Run this on the target Acronis management server host or via your software-distribution tooling. Invoke it as python3 check_acronis_cve_2026_28710.py on Linux or py check_acronis_cve_2026_28710.py on Windows; local admin helps on Windows for registry access, but the script will still try common file locations without elevation. It checks for Acronis Cyber Protect 17 build numbers and returns VULNERABLE, PATCHED, or UNKNOWN.
#!/usr/bin/env python3
# check_acronis_cve_2026_28710.py
# Detect likely vulnerability status for CVE-2026-28710 on Acronis Cyber Protect 17
# Affected: builds before 41186 on Linux/Windows
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
import os
import re
import sys
import glob
import platform
import subprocess
THRESHOLD = 41186
def parse_build(text):
if not text:
return None
# Prefer explicit build markers first
patterns = [
r'build\s*[:=]?\s*(\d{4,6})',
r'17\.0\.(\d{4,6})',
r'Acronis.*?(\d{4,6})'
]
for pat in patterns:
m = re.search(pat, text, re.IGNORECASE | re.DOTALL)
if m:
try:
return int(m.group(1))
except Exception:
pass
return None
def read_text_file(path):
try:
with open(path, 'r', encoding='utf-8', errors='ignore') as f:
return f.read()
except Exception:
return None
def check_linux():
candidates = [
'/usr/lib/Acronis/**',
'/opt/Acronis/**',
'/var/lib/Acronis/**',
'/etc/Acronis/**'
]
seen = []
for pattern in candidates:
for path in glob.glob(pattern, recursive=True):
if os.path.isfile(path):
low = path.lower()
if any(k in low for k in ['version', 'release', 'build', 'manifest']):
seen.append(path)
for path in seen[:200]:
txt = read_text_file(path)
build = parse_build(txt)
if build:
return build, path
# Fallback: try package managers
commands = [
['rpm', '-qa'],
['dpkg-query', '-W', '-f=${Package} ${Version}\n']
]
for cmd in commands:
try:
out = subprocess.check_output(cmd, stderr=subprocess.DEVNULL, text=True, timeout=20)
if 'acronis' in out.lower():
build = parse_build(out)
if build:
return build, 'package-manager'
except Exception:
pass
return None, None
def check_windows_registry():
try:
import winreg
except Exception:
return None, None
keys = [
r'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall',
r'SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall',
r'SOFTWARE\Acronis'
]
for hive in (winreg.HKEY_LOCAL_MACHINE,):
for key_path in keys:
try:
base = winreg.OpenKey(hive, key_path)
except Exception:
continue
try:
count = winreg.QueryInfoKey(base)[0]
except Exception:
count = 0
for i in range(count):
try:
subname = winreg.EnumKey(base, i)
sub = winreg.OpenKey(base, subname)
values = {}
idx = 0
while True:
try:
name, value, _ = winreg.EnumValue(sub, idx)
values[name] = str(value)
idx += 1
except OSError:
break
blob = ' '.join(values.values())
if 'acronis' in blob.lower() and 'cyber protect' in blob.lower():
build = parse_build(blob)
if build:
return build, 'registry:' + key_path + '\\' + subname
except Exception:
continue
return None, None
def check_windows_files():
roots = [
os.environ.get('ProgramFiles', r'C:\Program Files'),
os.environ.get('ProgramFiles(x86)', r'C:\Program Files (x86)'),
os.environ.get('ProgramData', r'C:\ProgramData')
]
seen = []
for root in roots:
if not root or not os.path.isdir(root):
continue
for pattern in [
os.path.join(root, 'Acronis', '**', '*version*'),
os.path.join(root, 'Acronis', '**', '*release*'),
os.path.join(root, 'Acronis', '**', '*build*'),
os.path.join(root, 'Acronis', '**', '*manifest*')
]:
seen.extend(glob.glob(pattern, recursive=True))
for path in seen[:300]:
if os.path.isfile(path):
txt = read_text_file(path)
build = parse_build(txt)
if build:
return build, path
return None, None
def main():
system = platform.system().lower()
build = None
source = None
if system == 'windows':
build, source = check_windows_registry()
if not build:
build, source = check_windows_files()
else:
build, source = check_linux()
if build is None:
print('UNKNOWN - Acronis Cyber Protect 17 build not found automatically')
sys.exit(2)
if build < THRESHOLD:
print(f'VULNERABLE - detected build {build} from {source}; fixed in build {THRESHOLD} or later')
sys.exit(1)
else:
print(f'PATCHED - detected build {build} from {source}; meets/exceeds fixed build {THRESHOLD}')
sys.exit(0)
if __name__ == '__main__':
main()
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: find every Acronis Cyber Protect 17 management server, identify anything before build 41186, and immediately separate any externally reachable console from hostile networks. For a HIGH verdict, the noisgate mitigation SLA is ≤30 days and the noisgate remediation SLA is ≤180 days; here that means lock down exposure and monitoring within 30 days, then complete upgrades to build 41186+ across the fleet inside 180 days. If you discover a server already exposed to the internet, do not wait for the standard window—treat that host as an exception and patch or isolate it first because exposure is the one factor that turns this from serious into urgent.
Sources
- NVD CVE-2026-28710
- Acronis advisory SEC-9137 / advisory database entry
- Acronis Cyber Protect 17 release notes
- Acronis Cyber Protect 17 on-prem documentation
- Acronis network connection diagram
- CISA Known Exploited Vulnerabilities Catalog
- CIRCL Vulnerability Lookup for CVE-2026-28710
- CERT Santé advisory for CVE-2026-28710
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.