01 · The Real Story
This is a fire alarm that can be tripped until the control room drowns in its own paperwork
CVE-2026-28718 is a denial-of-service flaw in Acronis Cyber Protect 17 on Linux and Windows before build 41186. The bug sits in authentication logging: a remote party can hit the login surface with crafted input, and the product does not validate that input tightly enough before logging it. The likely failure mode is log growth and resource exhaustion in the management plane rather than data theft or code execution.
The scary part is the network-reachable, no-authentication path. The reality check is that this is still availability-only and usually lands on an internal management server, not an internet edge app. Also, the authoritative Acronis CNA record published on 2026-03-06 scored it 5.3/MEDIUM; NVD later enriched it to 7.5/HIGH on 2026-03-12. Real-world conditions look much closer to the vendor's original take than the enriched NVD score.
"Unauthenticated DoS sounds scary, but this usually only matters if your Acronis console is reachable from untrusted networks."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Find a reachable Cyber Protect console
The attacker identifies an Acronis management server exposing the web console or REST surface, commonly on TCP 9877. Generic tooling like
nmap, masscan, or even a browser is enough because no authentication is required to reach the login endpoint. The attack starts only if the vulnerable management plane is reachable from the attacker's network position.Conditions required:
- Acronis Cyber Protect 17 management server is deployed
- Version is earlier than build 41186
- Attacker can reach the management console over the network
Where this breaks in practice:
- Most enterprises keep backup/security management consoles on internal admin networks
- VPN, ACLs, reverse proxies, or management segmentation often reduce reachability
- Exposure is management-server specific, not every protected endpoint
Detection/coverage: External attack-surface tools may spot TCP 9877 exposure, but version fingerprinting is weak. Authenticated asset inventory or local package/version checks are more reliable than unauthenticated scanners.
STEP 02
Hammer the authentication logger
Using
curl, Burp Repeater/Intruder, or a simple Python loop, the attacker sends repeated crafted authentication requests containing oversized or malformed fields that trigger excessive logging. Because the flaw is in authentication logging, the attacker does not need a valid account to reach the vulnerable code path. The workload is cheap for the attacker and shifts processing and storage cost to the server.Conditions required:
- Unauthenticated access to the login/API entry point
- Input reaches the authentication logging component
Where this breaks in practice:
- Rate limits, reverse proxy request limits, or WAF size constraints can cut this off early
- If verbose auth logging is centralized or capped, impact may be blunted
- Some environments place the console behind VPN or admin bastions, removing anonymous reachability
Detection/coverage: Web logs, reverse proxy logs, SIEM auth-failure spikes, and sudden growth in Acronis logs are the best clues. Signature coverage for this exact CVE is likely thin; anomaly detection is more realistic.
STEP 03
Exhaust disk, CPU, or log-processing capacity
The vulnerable service spends resources validating, writing, rotating, and possibly indexing the abusive authentication events. Tooling is still basic HTTP traffic generation; the weapon here is volume plus crafted input, not a sophisticated exploit chain. Once logs or associated processing back up, the management server becomes slow, unstable, or unavailable.
Conditions required:
- Logging path accepts repeated malicious input
- Host has finite disk, I/O, CPU, or log pipeline capacity
Where this breaks in practice:
- Disk quotas, log rotation, and monitoring can stop a full outage
- Well-provisioned servers may degrade before they fail
- Separate logging partitions or externalized logs can reduce local blast radius
Detection/coverage: Infrastructure monitoring should catch disk growth, I/O waits, service instability, and alert storms. EDR will not reliably classify this as exploitation; ops telemetry matters more.
STEP 04
Disrupt the management plane
The attacker wins by degrading or denying access to the Cyber Protect console and management workflows. That can delay backups, investigations, agent administration, and security operations across many protected workloads even though the attacker never gets code execution or data access. The business impact comes from central operational disruption, not direct host compromise.
Conditions required:
- Management server instability affects admin access or orchestration functions
Where this breaks in practice:
- Protected endpoints are not automatically compromised by this flaw
- Recovery is usually an admin/operations event, not incident-response-at-scale malware containment
- Redundant management design and backups can shorten outage duration
Detection/coverage: Service health checks, failed console logins, backup-job failures, and missed agent-management actions will show the impact quickly. Vulnerability scanners may flag the product/version but cannot prove exploitability from the attacker's actual network position.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No public evidence found of active exploitation as of 2026-05-27; not listed in CISA KEV and no campaign reporting located. |
|---|---|
| PoC availability | No public PoC located in the searched sources and GitHub results. Attack mechanics look straightforward with generic HTTP tooling, but that is not the same as seeing a weaponized public exploit. |
| EPSS | 0.00137 from the user intel block — effectively *very low* expected near-term exploitation probability. |
| KEV status | Not KEV-listed. Exact search for CVE-2026-28718 on cisa.gov returned no result, and it does not appear in the KEV catalog. |
| CVSS disagreement | Important nuance: Acronis CNA published 5.3/MEDIUM on 2026-03-06 with AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L; NVD later enriched it to 7.5/HIGH on 2026-03-12 with .../A:H. |
| Affected versions | Acronis Cyber Protect 17 on Linux and Windows, before build 41186. |
| Fixed version | Upgrade to Acronis Cyber Protect 17 build 41186 or later. No distro backport detail was found; this appears to be an application build-level fix, not an OS package advisory. |
| Exposure reality | Acronis documentation shows the management console commonly uses port 9877, and the management server is the central control point. That means impact can be broad inside one environment, but only if the console is reachable from the attacker network. |
| Scanning / exposure data | No trustworthy public census data found tying this CVE to meaningful Shodan/Censys/FOFA exposure counts. Treat internet exposure as environment-specific and verify internally. |
| Disclosure / source | Disclosed 2026-03-06 by Acronis International GmbH via advisory SEC-8377. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to MEDIUM (5.0/10)
The decisive friction is attacker reachability to the Acronis management console, which in most enterprises sits on a restricted admin network rather than the public internet. This is also an availability-only issue: it can disrupt a central service, but it does not hand over code execution, credentials, or tenant-wide compromise by itself.
HIGH Affected version range and fixed build
HIGH No KEV / no public exploitation evidence
MEDIUM Practical attack impact assumptions without a public technical root-cause write-up
Why this verdict
- Down from NVD's 7.5 baseline: the vulnerable surface is the management console, not every protected host, so exposed population is materially smaller than a generic
AV:N/PR:Nweb bug. - Second downward adjustment: many real deployments keep Cyber Protect on internal admin networks or VPN-only access, which means exploitation often presumes prior network position or exposure mistakes.
- Third downward adjustment: the outcome is DoS only. No confidentiality, integrity, privilege, or code-execution path is documented.
- But not a trivial bug: if your Acronis management server is reachable, the blast radius can span many managed workloads because the product is a central orchestration point.
- Threat intel is quiet: very low EPSS, no KEV listing, and no public PoC or campaign reporting keep this out of the urgent buckets.
Why not higher?
Because this is not a remote takeover bug. To justify HIGH in real operations, I would want either active exploitation, broad internet exposure, or a compromise outcome beyond service disruption. None of that is established here, and the management-plane placement sharply narrows the reachable population.
Why not lower?
Because central management downtime still hurts. If an exposed Acronis server takes repeated auth-log abuse, you can lose console access and delay backup, recovery, and security operations across a sizeable estate. That's more than backlog hygiene even if it is not an emergency patch-everything event.
05 · Compensating Control
What to do — in priority order.
- Restrict console reachability — Put the Cyber Protect management console behind VPN, admin jump hosts, or source-IP ACLs so untrusted networks cannot hit the login surface. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but if the console is internet-exposed you should close that exposure immediately anyway.
- Rate-limit and size-limit auth requests — Apply reverse-proxy or WAF controls that cap request rate, header/body sizes, and repeated failed authentication traffic to the console. This is the best temporary brake against log-amplification style DoS while you move to the fixed build.
- Alert on abnormal auth-log growth — Create monitoring for sudden increases in authentication failures, log volume, disk consumption, or service instability on the management server. That won't prevent exploitation, but it shortens detection and reduces outage duration.
- Separate and cap logging storage — Use log rotation, disk quotas, and where possible dedicated storage or centralized forwarding for Acronis logs so abusive auth events do not consume the entire host. This reduces the chance that a logging flaw becomes a full management outage.
What doesn't work
- Endpoint AV/EDR on managed endpoints does not meaningfully stop this, because the abuse targets the management server's authentication surface and looks like service traffic.
- MFA is good hygiene but does not fix this bug, because the attacker does not need a valid account to reach the vulnerable logging path.
- Perimeter scanning alone is insufficient; it may find the port, but it will not tell you whether the server is actually on a vulnerable build or how your logging/storage settings affect impact.
06 · Verification
Crowdsourced verification payload.
Run this on the Acronis management server itself or on an endpoint where Cyber Protect 17 is installed. Invoke it with python3 check_cve_2026_28718.py on Linux/macOS or py check_cve_2026_28718.py on Windows; standard user rights are usually enough, though Windows registry access may work best from an elevated shell.
#!/usr/bin/env python3
# check_cve_2026_28718.py
# Determine likely exposure to CVE-2026-28718 by checking for Acronis Cyber Protect 17
# and comparing discovered build numbers against fixed build 41186.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
import os
import re
import sys
import platform
import subprocess
from pathlib import Path
FIXED_BUILD = 41186
TARGET_NAMES = [
'Acronis Cyber Protect 17',
'Acronis Cyber Protect',
'Acronis Backup Agent',
'Acronis Managed Machine Service',
]
BUILD_RE = re.compile(r'(?<!\d)(\d{5})(?!\d)')
VER_RE = re.compile(r'(\d+)\.(\d+)\.(\d+)(?:\.(\d+))?')
def out(status, detail):
print(f'{status}: {detail}')
if status == 'PATCHED':
sys.exit(0)
if status == 'VULNERABLE':
sys.exit(1)
sys.exit(2)
def extract_build(text):
if not text:
return None
m = BUILD_RE.search(text)
if m:
return int(m.group(1))
m = VER_RE.search(text)
if m:
parts = [p for p in m.groups() if p is not None]
if parts:
try:
last = int(parts[-1])
if last >= 10000:
return last
except Exception:
pass
return None
def run(cmd):
try:
p = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
return p.returncode, (p.stdout or '') + (p.stderr or '')
except Exception:
return 999, ''
def check_windows():
candidates = []
try:
import winreg
except Exception:
return None, 'winreg unavailable'
reg_paths = [
r'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall',
r'SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall',
]
for hive in (winreg.HKEY_LOCAL_MACHINE, winreg.HKEY_CURRENT_USER):
for base in reg_paths:
try:
k = winreg.OpenKey(hive, base)
except Exception:
continue
for i in range(0, winreg.QueryInfoKey(k)[0]):
try:
subname = winreg.EnumKey(k, i)
sk = winreg.OpenKey(k, subname)
name = str(winreg.QueryValueEx(sk, 'DisplayName')[0]) if True else ''
except Exception:
continue
if 'Acronis' not in name:
continue
version = ''
publisher = ''
install = ''
try:
version = str(winreg.QueryValueEx(sk, 'DisplayVersion')[0])
except Exception:
pass
try:
publisher = str(winreg.QueryValueEx(sk, 'Publisher')[0])
except Exception:
pass
try:
install = str(winreg.QueryValueEx(sk, 'InstallLocation')[0])
except Exception:
pass
if any(t.lower() in name.lower() for t in TARGET_NAMES) or ('Acronis' in name and '17' in version):
candidates.append((name, version, publisher, install))
for item in candidates:
name, version, publisher, install = item
b = extract_build(version) or extract_build(name)
if b:
return b, f'{name} {version}'.strip()
common_paths = [
Path(os.environ.get('ProgramFiles', r'C:\Program Files')) / 'Acronis',
Path(os.environ.get('ProgramFiles(x86)', r'C:\Program Files (x86)')) / 'Acronis',
]
for root in common_paths:
if not root.exists():
continue
for p in root.rglob('*'):
if not p.is_file():
continue
b = extract_build(str(p))
if b:
return b, str(p)
return None, 'No Acronis Cyber Protect 17 build identified on Windows'
def check_linux():
cmds = [
['rpm', '-qa'],
['dpkg-query', '-W', '-f=${Package} ${Version}\n'],
]
for cmd in cmds:
rc, text = run(cmd)
if rc == 0 and text:
for line in text.splitlines():
if 'acronis' in line.lower() or 'backupclient' in line.lower():
b = extract_build(line)
if b:
return b, line.strip()
common_paths = [
Path('/usr/lib/Acronis'),
Path('/opt/acronis'),
Path('/var/lib/Acronis'),
Path('/etc/Acronis'),
]
for root in common_paths:
if not root.exists():
continue
for p in root.rglob('*'):
b = extract_build(str(p))
if b:
return b, str(p)
if p.is_file() and p.stat().st_size < 1024 * 1024:
try:
data = p.read_text(errors='ignore')
except Exception:
continue
b = extract_build(data)
if b:
return b, str(p)
return None, 'No Acronis Cyber Protect 17 build identified on Linux'
def main():
system = platform.system().lower()
if 'windows' in system:
build, source = check_windows()
elif 'linux' in system:
build, source = check_linux()
else:
out('UNKNOWN', f'Unsupported platform for this check: {platform.system()}')
return
if build is None:
out('UNKNOWN', source)
if build < FIXED_BUILD:
out('VULNERABLE', f'Discovered build {build} from {source}; fixed build is {FIXED_BUILD}')
else:
out('PATCHED', f'Discovered build {build} from {source}; meets or exceeds fixed build {FIXED_BUILD}')
if __name__ == '__main__':
main()
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: first, identify every Acronis Cyber Protect 17 management server and verify whether any console is reachable from untrusted networks; if yes, close that exposure or rate-limit it right away. For this MEDIUM reassessment there is no noisgate mitigation SLA — go straight to the 365-day remediation window, but exposed internet-facing consoles deserve immediate hardening even without a formal mitigation deadline. Then schedule upgrade to build 41186+ inside the noisgate remediation SLA of ≤365 days, with any externally reachable or business-critical management servers handled first.
Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.