CVE-2026-28721 · Local privilege escalation due to improper soft link handling.

01 · The Real Story

This is a loose service hatch inside the machine, not an unlocked front gate

CVE-2026-28721 is a Windows-only local privilege escalation in Acronis Cyber Protect 17 before build 41186. The flaw is described as improper soft link handling: a low-privileged local user can abuse symbolic-link or junction behavior so a privileged Acronis operation touches the wrong file or path, potentially turning a normal user foothold into SYSTEM-level control on the host.

The vendor's HIGH 7.3 score is technically defensible in a lab because successful exploitation can end in full host compromise. In real enterprise operations, though, the biggest fact is the one CVSS compresses away: the attacker already needs local access, low privileges, and some triggering/user interaction on a machine that both runs Acronis and is still on a pre-41186 build. That makes this a post-compromise escalator, not an initial-access bug, so the practical urgency drops into MEDIUM.

"Dangerous once an attacker is already on the box, but this is not a front-door emergency"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land low-priv code execution on a protected Windows host

The attacker first needs code execution or an interactive logon as an ordinary user on a Windows system running Acronis Cyber Protect 17. This is the hard gate: the bug does nothing for an unauthenticated remote actor and does not help gain initial access.

Conditions required:

Windows host has Acronis Cyber Protect 17 installed
Version is before build 41186
Attacker already has local execution or a user session

Where this breaks in practice:

EDR, AppLocker, WDAC, attack-surface reduction, and macro controls should block many initial footholds before this CVE matters
Many Acronis deployments sit on servers with tighter local access than general user workstations

Detection/coverage: External vuln scanners will miss the real risk unless they inventory installed Acronis build numbers on endpoints. EDR should already flag the precursor low-priv execution stage.

STEP 02

Find a privileged file operation to bend

The attacker has to identify an Acronis operation that runs with elevated rights and touches a path the attacker can influence. The likely tooling is built-in Windows link primitives such as mklink, NTFS junctions, or direct Win32 calls like CreateSymbolicLinkW.

Conditions required:

Acronis service performs privileged filesystem work
Attacker can place or point a link in a writable location relevant to that workflow

Where this breaks in practice:

Link creation can be constrained by permissions and platform settings
The attacker still needs the exact Acronis path/operation pattern that follows the attacker-controlled reference

Detection/coverage: EDR and Sysmon can often surface suspicious reparse-point creation, junction abuse, or unusual filesystem writes by non-admin users.

STEP 03

Trigger the vulnerable workflow

Because the CNA vector includes UI:R, exploitation appears to need a user or operator action, or at minimum a specific workflow to be invoked rather than being fully autonomous from the attacker's perspective. In practice that means waiting for or inducing the Acronis operation that dereferences the malicious link.

Conditions required:

Relevant Acronis action is executed
Attacker-controlled link is in place before the privileged operation runs

Where this breaks in practice:

User interaction or workflow timing lowers reliability
Single-purpose servers may not hit the vulnerable code path often

Detection/coverage: Behavioral telemetry around Acronis process launches, backup/recovery operations, and subsequent writes into protected paths is more valuable than signature-based scanning.

STEP 04

Escalate to SYSTEM on that host

If the privileged Acronis component follows the malicious soft link, it can be tricked into modifying or overwriting a protected target. The outcome is local privilege escalation to a highly privileged context, which is meaningful because a backup/security agent often runs with broad authority over the system.

Conditions required:

The vulnerable file operation reaches a security-sensitive target
The target choice produces code execution or privileged tampering

Where this breaks in practice:

Exploit value is host-local; it does not inherently spread laterally or cross tenants
The attacker still needs follow-on tradecraft for credential theft, persistence, or lateral movement

Detection/coverage: Good EDR coverage should catch the post-exploitation stage: privileged file tampering, service abuse, persistence writes, or token escalation from an untrusted process tree.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No evidence of active exploitation was found in the reviewed primary sources, and CISA KEV does not list CVE-2026-28721.
Proof-of-concept availability	No public PoC or exploit reference appears in the NVD, CVE, or vendor advisory references reviewed. That does not make the bug harmless; it just removes one urgency amplifier.
EPSS	User-supplied EPSS = 0.00007. That is an extremely low predicted exploitation probability, consistent with a niche, post-compromise local bug; percentile was not independently verified from FIRST data in this review.
KEV status	Not listed in the CISA Known Exploited Vulnerabilities Catalog.
CVSS vector readout	`AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H` means local-only, needs existing low privileges, and needs user/workflow interaction. That is classic downward pressure versus a remotely reachable flaw.
Affected range	Acronis Cyber Protect 17 (Windows) before build 41186.
Fixed version	Vendor fix is build 41186 or later for Acronis Cyber Protect 17 on Windows.
Exposure reality	This is not meaningfully internet-queryable in Shodan/Censys terms because the vulnerable condition is a local Windows endpoint/server install state, not an exposed network listener. Reachable population is therefore bounded by hosts where an attacker already has execution.
Disclosure timing	User-supplied disclosure date is 2026-03-06; the NVD page shows the CVE was received by the CNA on 2026-03-05 and published by NVD around that same period.
Researcher / reporting	The reviewed public references attribute the CVE to Acronis International GmbH as CNA. No independent researcher credit was visible in the sources reviewed.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.4/10)

The decisive factor is attacker position: this bug only matters after an adversary already has local access on a vulnerable Windows host. That sharply narrows the exposed population and makes the CVE a post-compromise privilege escalator, not a broad enterprise entry point.

HIGH Assessment that this is a local post-compromise issue rather than an initial-access emergency

MEDIUM Assessment of exploit reliability because the public technical detail is thin and the advisory is terse

Why this verdict

Local-only requirement cuts the score hard: AV:L means the attacker is already on the endpoint or server. For a 10,000-host fleet, that is not a front-door risk; it is a follow-on privilege bump after another control has already failed.
Low privileges still imply prior compromise: PR:L is not 'easy'; it means malware, a stolen user session, or an internal user already exists. That prerequisite compounds the downward adjustment from the vendor's 7.3 baseline.
User/workflow interaction lowers reach and reliability: UI:R suggests the exploit is not pure fire-and-forget. The attacker likely needs a user action, operator workflow, or timing against a specific privileged Acronis operation, which trims mass-exploitation potential.
Windows-only and version-bounded: only Acronis Cyber Protect 17 on Windows before build 41186 is affected. That is a much narrower fleet slice than a cross-platform or remotely exposed agent flaw.
No exploitation evidence amplifier: no KEV listing, no public PoC in reviewed primary references, and a very low user-supplied EPSS all argue against treating this as a hot operational threat.
Not lower because SYSTEM still matters: once an attacker has local execution on a machine running a backup/security agent, turning that into SYSTEM can defeat host controls, steal secrets, and enable strong persistence. On shared admin servers, that can still be materially bad.

Why not higher?

A higher rating would require at least one strong amplifier that is missing here: unauthenticated remote reachability, broad internet exposure, active exploitation, or trivial weaponization. Instead, every major prerequisite stacks in the opposite direction: local access, existing privileges, vulnerable Windows build, and workflow interaction.

Why not lower?

This is still a real privilege-escalation path on a product that commonly runs with elevated rights and touches sensitive files. If an attacker already has a foothold, converting that foothold into SYSTEM is operationally meaningful and can be the difference between a contained user compromise and a full-host compromise.

05 · Compensating Control

What to do — in priority order.

Restrict interactive access — Reduce the number of users who can log on locally or via RDP to Acronis-managed Windows servers and consoles. Because this verdict is MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window while prioritizing shared admin systems and high-value backup infrastructure for tighter access control immediately.
Watch for reparse-point abuse — Add or tune EDR/Sysmon coverage for suspicious creation of symbolic links, junctions, and abnormal writes by low-privilege users followed by Acronis service activity. There is no mitigation SLA for MEDIUM, so use this as hardening and detection coverage while you patch within the 365-day remediation window.
Apply application control on admin-heavy hosts — Use WDAC, AppLocker, or equivalent to limit untrusted binaries and scripts on backup servers, management servers, and jump boxes where Acronis is installed. This is the control most likely to kill the prerequisite low-priv execution stage before the CVE ever becomes relevant; for MEDIUM, move it through normal hardening if not already present and remediate the vulnerable builds within 365 days.
Prioritize multi-user and admin-path systems — If you cannot patch every Acronis Windows deployment at once, start with shared servers, management nodes, terminal servers, and endpoints used by IT admins. Those systems offer the best payoff for a local SYSTEM escalation and should be first in your normal MEDIUM remediation window.

What doesn't work

Perimeter firewalls or WAFs do not help; this is not a remotely reachable network bug.
Internet exposure scanning will miss the practical risk because the vulnerable condition is an installed local agent build, not an externally fingerprintable service.
MFA does not neutralize the vulnerability itself; it only helps reduce some paths to the prerequisite user foothold.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host or through your endpoint management tool as a standard inventory script. Invoke it with powershell -ExecutionPolicy Bypass -File .\check-acronis-cve-2026-28721.ps1; local admin helps for complete registry/file visibility, but normal user rights often work. The script reports VULNERABLE, PATCHED, or UNKNOWN and uses exit codes 1, 0, and 2 respectively.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-acronis-cve-2026-28721.ps1

# Purpose: Detect whether Acronis Cyber Protect 17 on Windows is below fixed build 41186

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'
$fixedBuild = 41186

function Get-AcronisInstallInfo {
    $roots = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    $results = @()
    foreach ($root in $roots) {
        $items = Get-ItemProperty $root | Where-Object {
            $_.DisplayName -match 'Acronis Cyber Protect 17' -or $_.DisplayName -match '^Acronis Cyber Protect$'
        }
        foreach ($i in $items) {
            $results += [PSCustomObject]@{
                DisplayName    = $i.DisplayName
                DisplayVersion = $i.DisplayVersion
                InstallLocation = $i.InstallLocation
                Publisher      = $i.Publisher
            }
        }
    }
    return $results
}

function Get-BuildFromText([string]$text) {
    if ([string]::IsNullOrWhiteSpace($text)) { return $null }

    # Try dotted versions first, e.g. 17.0.41186 or 17.0.41186.0

    if ($text -match '(\d+)\.(\d+)\.(\d+)(?:\.(\d+))?') {
        return [int]$Matches[3]
    }

    # Fallback: last 4-6 digit number in the string

    $nums = [regex]::Matches($text, '(\d{4,6})') | ForEach-Object { $_.Value }
    if ($nums.Count -gt 0) {
        return [int]$nums[$nums.Count - 1]
    }

    return $null
}

$installs = Get-AcronisInstallInfo

if (-not $installs -or $installs.Count -eq 0) {
    Write-Output 'UNKNOWN: Acronis Cyber Protect 17 installation not found in uninstall registry.'
    exit 2
}

$best = $null
foreach ($app in $installs) {
    $build = Get-BuildFromText $app.DisplayVersion

    # If registry version is unclear, try a likely executable path under InstallLocation

    if (-not $build -and $app.InstallLocation) {
        $candidates = @(
            (Join-Path $app.InstallLocation 'Agent\acronis_agent.exe'),
            (Join-Path $app.InstallLocation 'CyberProtectionService.exe'),
            (Join-Path $app.InstallLocation 'AcronisAgent.exe')
        )
        foreach ($c in $candidates) {
            if (Test-Path $c) {
                $fv = (Get-Item $c).VersionInfo.FileVersion
                $build = Get-BuildFromText $fv
                if ($build) { break }
            }
        }
    }

    $record = [PSCustomObject]@{
        DisplayName = $app.DisplayName
        DisplayVersion = $app.DisplayVersion
        InstallLocation = $app.InstallLocation
        Build = $build
    }

    if (-not $best) { $best = $record }
    elseif ($record.Build -and (-not $best.Build -or $record.Build -gt $best.Build)) { $best = $record }
}

if (-not $best.Build) {
    Write-Output ('UNKNOWN: Found Acronis install but could not determine build. Name="{0}" Version="{1}" Path="{2}"' -f $best.DisplayName, $best.DisplayVersion, $best.InstallLocation)
    exit 2
}

if ($best.Build -lt $fixedBuild) {
    Write-Output ('VULNERABLE: {0} Version="{1}" Build={2} is below fixed build {3}.' -f $best.DisplayName, $best.DisplayVersion, $best.Build, $fixedBuild)
    exit 1
}
else {
    Write-Output ('PATCHED: {0} Version="{1}" Build={2} is at or above fixed build {3}.' -f $best.DisplayName, $best.DisplayVersion, $best.Build, $fixedBuild)
    exit 0
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: query your Windows fleet for Acronis Cyber Protect 17 build numbers, scope anything below 41186, and sort that list by shared admin systems, backup infrastructure, jump boxes, and multi-user servers first. This is a MEDIUM reassessment, so there is no noisgate mitigation SLA — go straight to the 365-day remediation window unless your own environment has unusually high local-user exposure; under the noisgate remediation SLA, move all affected Windows Acronis 17 systems to build 41186 or later within 365 days, with earlier completion for high-value systems where a local SYSTEM escalation would materially worsen an existing foothold.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.