CVE-2026-28713 · Default credentials set for local privileged user in Virtual Appliance.

01 · The Real Story

This is a spare key left under the mat, but only for a server room most attackers still have to find first

CVE-2026-28713 is a default-credentials flaw affecting the VMware virtual appliance form factors of Acronis Cyber Protect Cloud Agent before build 36943 and Acronis Cyber Protect 17 before build 41186. In plain English: the appliance includes a local privileged account with vendor-set credentials, so anyone who can reach the relevant management/login surface and knows the credential pair can authenticate as a powerful local user.

The vendor's HIGH 7.1 score overstates enterprise urgency a bit. The impact is absolutely real because backup infrastructure is sensitive and privileged, but the exploit chain has meaningful friction: this is a VMware appliance deployment only, typically parked on an internal management network, and I found no KEV entry, no public exploitation evidence, and no public PoC in primary sources. That makes this a solid MEDIUM for most fleets, not because default credentials are harmless, but because the exposed population and attacker reach are much narrower than a generic internet-facing auth bypass.

"High impact on paper, but real-world reach is narrow: internal VMware appliance, default creds, and no exploitation signal."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find an Acronis VMware appliance

An attacker first has to identify that the target environment runs the affected Acronis virtual appliance. In practice this usually means post-compromise network discovery with tools like nmap, inventory scraping, vCenter recon, or reading admin documentation left on reachable systems. The product's own deployment docs show the appliance is configured through the vSphere console and connected to vCenter/ESXi, which strongly suggests a management-plane placement rather than commodity internet exposure.

Conditions required:

Network reachability to the appliance or adjacent management segment
Affected deployment uses the VMware virtual appliance form factor
Attacker can enumerate internal services or management assets

Where this breaks in practice:

Most enterprises do not intentionally expose backup appliances directly to the internet
The vulnerable population is limited to VMware appliance deployments, not all Acronis installs
Network segmentation or separate backup/admin VLANs often block this discovery step

Detection/coverage: External scanners will miss a lot of this because exposure is commonly internal-only. Internal ASM, CMDB, vCenter inventory, and authenticated VM discovery are better than perimeter scanning here.

STEP 02

Reach the appliance login surface

The attacker then needs access to whatever interface accepts the local privileged account, typically a console, SSH-like management path, or other appliance-local authentication surface. The CVSS vector's UI:R and AC:H imply the vendor sees exploitation as requiring specific conditions rather than a single anonymous HTTP request. Weaponization here is straightforward once reachability exists: standard login tooling such as Hydra or manual authentication attempts are enough.

Conditions required:

Reachability to the appliance management interface
Interface for the local privileged account is enabled and exposed to the attacker's network position
No upstream NAC, VPN, jump host, or ACL blocks the path

Where this breaks in practice:

Management interfaces are often pinned to admin workstations, bastions, or vSphere console access
Some environments disable direct remote shell access to appliances
MFA on adjacent management workflows can limit how easily attackers get to the segment even if this local account itself lacks MFA

Detection/coverage: Look for failed and successful local-auth attempts in appliance auth logs, hypervisor console access logs, and east-west firewall telemetry. Brute-force behavior is likely noisy unless the attacker already knows the exact credential.

STEP 03

Authenticate with the default privileged account

If the account still uses the vendor-set credentials, the attacker can log in without needing an existing Acronis account. This is the core flaw: authentication bypass by predictability rather than software memory corruption. Tooling is low-skill once the credential pair is known; the hard part is reachability, not exploit engineering.

Conditions required:

Default credentials were never changed or were reintroduced by deployment/update behavior
The specific local privileged account still exists
No account lockout or compensating access control blocks repeated login attempts

Where this breaks in practice:

Mature teams often rotate appliance credentials during commissioning
Golden-image or IaC controls may override weak defaults after deployment
Some shops allow access only through vSphere console, reducing remote abuse

Detection/coverage: Credentialed vuln scanners may not detect this safely. The best confirmation is direct validation of the local account state, build number, and auth policy on the appliance.

STEP 04

Abuse backup-plane privileges

Once logged in, the attacker can target backup operations, retention, stored credentials, or appliance trust relationships to vCenter/ESXi and the Acronis management service. That can mean tampering with backups, staging destructive recovery changes, or pivoting deeper into the virtualization environment. The blast radius can be ugly, but it is mostly bounded to where this appliance has trust and reach.

Conditions required:

Authenticated session as the privileged local appliance user
Appliance has useful trust relationships to backup targets, vCenter, ESXi, or storage
Attacker objectives include sabotage, credential harvesting, or lateral movement

Where this breaks in practice:

Least-privileged vCenter accounts reduce follow-on damage
Separate immutable backup design and offline copies limit ransomware-style impact
EDR/SIEM on adjacent systems may catch downstream abuse even if the appliance itself is lightly monitored

Detection/coverage: Monitor for suspicious backup policy changes, deletion attempts, datastore access anomalies, unusual vCenter API use, and unexpected logins originating from the appliance.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation found in primary sources reviewed. The CVE is not listed in CISA KEV.
Proof-of-concept availability	No public PoC located in vendor, NVD, or CVE references I reviewed. That does not make it safe; it just means attacker enablement appears low-friction only after discovery/reachability.
EPSS	Prompt intel says 0.00058. Third-party snapshots around late May 2026 show roughly 0.0004–0.00046, which is still very low and directionally consistent. I treat this as low exploit-likelihood signal, not proof of safety.
KEV status	Not KEV-listed as of 2026-05-29 review date.
CVSS vector	`CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L` — vendor models this as network-reachable, but with high complexity and user/condition dependence, which matches a niche management-plane appliance better than a wormable edge flaw.
Affected versions	Acronis Cyber Protect Cloud Agent (VMware) before build 36943 and Acronis Cyber Protect 17 (VMware) before build 41186.
Fixed versions	Upgrade to Cloud Agent (VMware) build 36943+ or Cyber Protect 17 (VMware) build 41186+. Acronis links the fixes to update tracks `UPD-2312-bb14-e27f` and `UPD-2510-e871-9553`.
Exposure / scanning reality	I found no reliable public GreyNoise/Shodan/Censys/FOFA evidence tying this CVE to broad internet exposure. Acronis deployment docs show the appliance is configured from the vSphere console and attached to vCenter/ESXi, so the likely exposure population is internal management networks. That reachability assessment is an inference from deployment documentation, not a measured internet census.
Disclosure timeline	Disclosed 2026-03-06; NVD shows the CVE record was received from Acronis on 2026-03-05 and enriched by NIST on 2026-03-13.
Reporter / source authority	CVE and advisory were published by Acronis International GmbH as CNA. I found no named external researcher credit on the advisory.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.8/10)

The decisive factor is attacker position: this flaw is most dangerous only after an attacker reaches an internal backup-management appliance, which already implies either misconfiguration or some prior foothold. The blast radius can be high inside that enclave, but the reachable population is much smaller than the vendor's generic network-based score suggests.

HIGH Affected versions and fixed build thresholds

MEDIUM Real-world exposure assumptions for VMware appliance deployments

MEDIUM Absence of public PoC / active exploitation evidence at review time

Why this verdict

Start from 7.1 HIGH: default credentials on a privileged backup appliance can absolutely lead to sensitive data access and operational sabotage.
Downward pressure — VMware appliance only: this is not every Acronis endpoint or every agent; it is the virtual-appliance deployment path, which narrows affected population materially.
Downward pressure — likely internal management plane: Acronis docs show setup via vSphere console and vCenter/ESXi connectivity, which usually means segmented admin networks rather than broad internet exposure.
Downward pressure — attacker reach is the real gate: the exploit is easy *after* access to the appliance interface, but getting to that interface is the hard part in well-run environments.
Downward pressure — no exploitation signal: no KEV listing, no public PoC found, and a very low EPSS all argue against emergency-tier prioritization.
Upward pressure — backup infrastructure matters: if exploited, this can touch recovery operations, stored trust, and potentially the virtualization control plane, so this is not backlog fluff.

Why not higher?

This is not a mass-exploitable edge bug with broad anonymous reach. The chain depends on a narrower product slice, a management-plane path, and the default credentials still being present, which compounds friction. Absent active exploitation or wide internet exposure, CRITICAL/HIGH would over-prioritize it against more reachable flaws.

Why not lower?

A privileged default account on backup infrastructure is never a paperwork-only issue. If an attacker does reach the appliance, impact can include backup tampering, credential abuse, and follow-on movement into VMware-adjacent systems. That risk keeps it above LOW.

05 · Compensating Control

What to do — in priority order.

Inventory every Acronis VMware appliance — Find all Acronis Cyber Protect 17 and Cloud Agent for VMware virtual appliances in vCenter, CMDB, and backup administration records. Because this is MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window unless you discover external exposure or suspicious logins.
Restrict management-plane reachability — Limit appliance access to backup admins and jump hosts only, using ACLs, firewall rules, and management VLAN segmentation. This directly attacks the biggest real-world friction point in the exploit chain; for a MEDIUM finding, deploy during normal network-hardening work if not already in place.
Rotate or disable local privileged defaults — If the appliance permits credential rotation or account disablement, remove any vendor-known local credentials immediately after validation. This is the most direct compensating control when patching will wait for the normal ≤365-day remediation window.
Review appliance trust scope — Check what vCenter/ESXi accounts, storage paths, and backup repositories the appliance can touch. Reducing those permissions limits blast radius even if the default account is abused.
Monitor for appliance-sourced admin activity — Alert on unusual logins from the appliance to vCenter/ESXi, backup repository changes, backup deletion attempts, and sudden policy edits. This does not prevent initial authentication, but it raises the chance of catching follow-on abuse.

What doesn't work

A perimeter WAF doesn't help much because this is not primarily a public web-app exploit path; the issue is appliance-local privileged authentication.
Endpoint EDR on user workstations does nothing for an attacker already logging into the appliance itself.
Generic external vuln scanning alone will under-detect this because many affected appliances sit on internal management networks and the flaw is credential-state dependent.

06 · Verification

Crowdsourced verification payload.

Run this on the target Acronis VMware appliance or on a cloned shell session to it. Invoke it as sudo bash check_cve_2026_28713.sh cp17 or sudo bash check_cve_2026_28713.sh cloud-agent; it needs local shell access and enough privileges to inspect package metadata and Acronis install paths.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_28713.sh
# Purpose: Best-effort local check for CVE-2026-28713 on Acronis VMware appliances.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0 PATCHED, 1 VULNERABLE, 2 UNKNOWN, 3 USAGE

set -u

PRODUCT="${1:-}"
if [[ -z "$PRODUCT" ]]; then
  echo "Usage: $0 <cp17|cloud-agent>"
  exit 3
fi

case "$PRODUCT" in
  cp17) THRESHOLD=41186 ;;
  cloud-agent) THRESHOLD=36943 ;;
  *) echo "Usage: $0 <cp17|cloud-agent>"; exit 3 ;;
esac

extract_build() {
  local out build

  # 1) Try package managers
  if command -v rpm >/dev/null 2>&1; then
    out=$(rpm -qa 2>/dev/null | grep -Ei 'acronis|backup|cyberprotect|cyber-protect' || true)
    build=$(echo "$out" | grep -Eo '[0-9]{5}' | sort -nr | head -n1 || true)
    if [[ -n "$build" ]]; then echo "$build"; return 0; fi
  fi

  if command -v dpkg-query >/dev/null 2>&1; then
    out=$(dpkg-query -W 2>/dev/null | grep -Ei 'acronis|backup|cyberprotect|cyber-protect' || true)
    build=$(echo "$out" | grep -Eo '[0-9]{5}' | sort -nr | head -n1 || true)
    if [[ -n "$build" ]]; then echo "$build"; return 0; fi
  fi

  # 2) Try Acronis command-line utility if present
  for cmd in \
    /usr/lib/Acronis/CommandLineTool/acrocmd \
    /usr/sbin/acrocmd \
    /usr/bin/acrocmd
  do
    if [[ -x "$cmd" ]]; then
      out=$($cmd --version 2>/dev/null || true)
      build=$(echo "$out" | grep -Eo '[0-9]{5}' | sort -nr | head -n1 || true)
      if [[ -n "$build" ]]; then echo "$build"; return 0; fi
    fi
  done

  # 3) Search common install paths for a 5-digit build marker
  out=$(find /opt/acronis /usr/lib/Acronis /etc 2>/dev/null \( -type f -o -type l \) | head -n 5000 | xargs -r strings 2>/dev/null | grep -Ei 'Acronis|Cyber Protect|build' || true)
  build=$(echo "$out" | grep -Eo '[0-9]{5}' | sort -nr | head -n1 || true)
  if [[ -n "$build" ]]; then echo "$build"; return 0; fi

  return 1
}

BUILD=$(extract_build || true)

if [[ -z "$BUILD" ]]; then
  echo "UNKNOWN - could not determine installed Acronis build locally; verify in Cyber Protect console Details view or package inventory"
  exit 2
fi

if [[ "$BUILD" =~ ^[0-9]+$ ]]; then
  if (( BUILD < THRESHOLD )); then
    echo "VULNERABLE - detected build $BUILD, threshold for $PRODUCT is $THRESHOLD"
    exit 1
  else
    echo "PATCHED - detected build $BUILD, threshold for $PRODUCT is $THRESHOLD"
    exit 0
  fi
fi

echo "UNKNOWN - extracted non-numeric build value: $BUILD"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, have the backup team pull an inventory of Acronis VMware appliances, verify which ones are Cloud Agent <36943 or Cyber Protect 17 <41186, and confirm those systems are reachable only from admin networks and jump hosts. Because this reassesses to MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window unless you discover external exposure or suspicious auth activity; in that case, accelerate locally. Plan the actual build upgrade inside the noisgate remediation SLA of ≤365 days, ideally folded into the next normal backup-platform maintenance cycle rather than treated as a same-day fire drill.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.