← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-28722 · CWE-610 · Disclosed 2026-03-06

Local privilege escalation due to improper soft link handling

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a spare master key left inside the building, not a lock that opens from the street

CVE-2026-28722 is a local privilege escalation in Acronis Cyber Protect 17 for Windows caused by improper soft link handling. The affected range is Acronis Cyber Protect 17 (Windows) before build 41186. In plain terms, a low-privileged local user can try to steer a privileged Acronis operation into following an attacker-controlled link and touching files or locations it should never trust, with the end goal of executing or writing as a more privileged context.

The vendor's HIGH 7.3 score is technically defensible in a lab, but it overstates the enterprise patch urgency in the real world. This bug is not remote, not pre-auth, not wormable, not KEV-listed, has very low EPSS, and even the CNA vector includes local access, low privileges, and user interaction. That is classic *post-compromise* territory: valuable for ransomware operators after foothold, but not a reason to blow up your whole patch calendar.

"Useful to intruders already on the box, but not the fire-drill the vendor's HIGH label suggests"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land on the Windows host first

The attacker must already have code execution as a local user on a Windows system running vulnerable Acronis Cyber Protect 17. Typical weaponized tooling here is not an exploit kit but ordinary post-compromise tradecraft such as cmd.exe, powershell.exe, an RMM implant, or a commodity loader. Without that initial foothold, CVE-2026-28722 does nothing.
Conditions required:
  • Attacker already has local code execution on the target Windows host
  • Acronis Cyber Protect 17 is installed
  • Installed build is earlier than 41186
Where this breaks in practice:
  • This prerequisite already implies a prior compromise stage
  • Many Acronis servers are not broadly exposed to untrusted users
  • EDR commonly catches the initial foothold before local escalation attempts matter
Detection/coverage: External scanners can only flag vulnerable product versions; they cannot prove exploitability from the network. Host telemetry is required.
STEP 02

Prepare a malicious link target

The attacker then uses native Windows filesystem features such as mklink.exe, junctions, or symlink APIs to create an attacker-controlled redirection point. The intended play is to make a privileged Acronis component resolve a path outside its intended trust boundary. This is the step directly tied to the CWE-610 soft-link handling flaw.
Conditions required:
  • Ability to create or place files in a location the Acronis component will touch
  • Local privileges sufficient to stage the link or reparse point
  • A predictable Acronis file operation or writable staging area
Where this breaks in practice:
  • Not every Windows configuration allows ordinary users to create symlinks freely
  • Operational details are not public, so attackers need trial-and-error
  • File ACLs and controlled folders may limit where the redirect can point
Detection/coverage: Good EDRs and Sysmon deployments can log symlink/reparse-point creation and suspicious file operations in Acronis paths, but coverage is environment-dependent.
STEP 03

Trigger the privileged Acronis workflow

A privileged Acronis process or service must be induced to process the attacker-controlled path. Because the CNA vector includes UI:R, exploitation likely depends on a user-driven or locally triggerable workflow rather than a silent background-only condition. The attacker is trying to get a higher-privileged Acronis component to follow the malicious link during update, maintenance, or another file-handling operation.
Conditions required:
  • A matching Acronis workflow is reachable on the target host
  • Some user or local process interaction is available to trigger it
  • The privileged Acronis component runs with elevated rights
Where this breaks in practice:
  • User interaction materially narrows opportunistic exploitation
  • No public PoC means trigger reliability is unknown
  • Many managed servers have limited interactive use, reducing reachable trigger paths
Detection/coverage: Version checks will not catch exploitation attempts in progress. Detection is behavioral: elevated Acronis processes touching unexpected paths, spawning children, or writing outside normal directories.
STEP 04

Escalate to SYSTEM-level impact on that host

If the link-follow succeeds, the attacker can potentially redirect a privileged write or operation into a protected location and gain local privilege escalation. The likely end state is SYSTEM or equivalent control over the affected Windows host. That can be operationally important on backup infrastructure, but the blast radius is still fundamentally one host at a time unless the attacker chains it with separate lateral movement.
Conditions required:
  • The vulnerable Acronis operation runs with elevated privileges
  • The redirected action affects a security-sensitive file, executable, or configuration
  • The attacker can execute or leverage the resulting privileged state
Where this breaks in practice:
  • Impact is local to the compromised machine, not fleet-wide by itself
  • Modern EDR often catches the follow-on privileged actions
  • The attacker still needs a second step for lateral movement or domain impact
Detection/coverage: High-fidelity signals include unexpected child processes from Acronis services, protected-file modification, privilege escalation alerts, and service-binary or scheduled-task tampering.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo authoritative evidence of active exploitation found. CISA KEV does not list CVE-2026-28722, and Acronis states its update carried no signs of active exploitation at publication time; see CISA KEV and Acronis update UPD-2510-e871-9553.
Public PoC availabilityNo public exploit or GitHub PoC surfaced in primary-result searching. That absence matters because local symlink LPEs usually need product-specific path and trigger knowledge.
EPSSUser-supplied EPSS is 0.00007 (~0.007%), which is effectively floor-level exploit probability. EPSS is a daily probability model from FIRST, not an impact score; see FIRST EPSS overview and FIRST API docs.
KEV statusNot KEV-listed as of the current review. That sharply reduces urgency compared with remotely exploitable bugs that CISA has already observed abused in the wild; source: CISA KEV catalog.
CVSS vector reality checkCVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H means local, already authenticated/low-privileged, and user interaction required. The single biggest downgrade driver is the attacker position: this is a *post-foothold host-escalation* bug, not an initial-access bug; source: NVD.
Affected versionsAffected product is Acronis Cyber Protect 17 (Windows) before build 41186. The NVD CPE enrichment maps this as acronis:cyber_protect versions earlier than 17.0.41186 on Windows; source: NVD and OpenCVE.
Fixed versionVendor-fixed in build 41186 via the Acronis Cyber Protect 17 update train. No distro-backport story applies here because this is a Windows commercial product, not a Linux package; source: Acronis advisory SEC-8481 and Acronis update UPD-2510-e871-9553.
Scanning and exposure realityThis is not an internet exposure problem. Shodan/Censys/FOFA style counts are mostly irrelevant because the exploit path starts with local code execution on the host, not network reachability.
Disclosure timelineThe CNA record reached NVD on 2026-03-05, while vendor-advisory mirrors show disclosure on 2026-03-06. Use those absolute dates when reconciling feeds; see NVD and JVNDB mirror.
Researcher / reporting creditNo public researcher credit was exposed in the sources reviewed. This usually correlates with sparse technical detail, which in turn slows broad opportunistic exploitation.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.4/10)

The decisive factor is attacker position: exploitation requires a local foothold with low privileges on a vulnerable Windows host, and the CNA vector also says user interaction is required. That makes this a useful *post-compromise privilege escalator*, not a broad enterprise initial-access emergency.

HIGH Affected product/build mapping to Acronis Cyber Protect 17 (Windows) before 41186
MEDIUM Real-world exploitability assessment without a public PoC
HIGH Absence of KEV listing and active-exploitation evidence in reviewed sources

Why this verdict

  • Down from vendor HIGH: AV:L/PR:L/UI:R is not a street-facing attack path; it starts after the attacker is already on the host.
  • Further downward pressure: user interaction is required, which materially reduces reliability and mass exploitation value.
  • No threat amplifiers present: no KEV listing, no public PoC found, and the supplied EPSS is near zero.
  • But not LOW: backup/security software often runs highly privileged, so a local LPE in this product can still be very useful to ransomware operators once they have a beachhead.
  • Blast radius is bounded: impact is severe on one machine, but the flaw does not create domain-wide or fleet-wide compromise by itself.

Why not higher?

A higher rating would require a broader reachable population or stronger threat evidence: remote reachability, no-auth abuse, active exploitation, or a dependable public exploit. None of those are present here. Every major prerequisite — local access, low privileges, and user interaction — narrows the attack population and compounds the downgrade.

Why not lower?

This is still privilege escalation in a product that commonly runs with elevated rights on operationally sensitive systems. On backup servers, management nodes, or admin workstations, turning a user foothold into SYSTEM can be consequential. Even without internet exposure, that makes it more than simple backlog lint.

05 · Compensating Control

What to do — in priority order.

  1. Restrict local logon paths — Reduce the set of users who can reach Acronis-managed Windows hosts interactively or via remote desktop. Because the reassessed verdict is MEDIUM, there is no mitigation SLA — but do this during normal hardening work so local footholds are harder to convert into privilege escalation.
  2. Tighten symlink and reparse-point abuse opportunities — Review developer-mode use, local policy, and writable directories that low-privileged users can control on Acronis hosts. The goal is to make attacker-controlled link creation and privileged path redirection harder while you work through patching; again, no mitigation SLA for this severity, so fold it into baseline Windows hardening.
  3. Watch Acronis processes with EDR — Alert on Acronis services writing outside expected directories, launching unexpected child processes, or touching protected files. This is the most realistic compensating control for a post-compromise LPE because it targets the behavior that turns a foothold into SYSTEM.
  4. Prioritize sensitive Acronis roles first — If you cannot patch all endpoints at once, move backup servers, management servers, and admin workstations with Acronis to the front of the line. Those machines have the highest blast radius if a local user or malware gains SYSTEM.
What doesn't work
  • A perimeter firewall does nothing here because the exploit path is local, not network-delivered.
  • WAF rules are irrelevant; there is no HTTP request pattern to block.
  • Internet-facing asset scans can tell you little about actual exploitability because the vulnerable condition lives in host-local file handling.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host or through your endpoint management tool. Example: powershell -ExecutionPolicy Bypass -File .\check-acronis-cve-2026-28722.ps1. It needs standard read access to the local registry and filesystem; administrative rights are not usually required.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# check-acronis-cve-2026-28722.ps1

# Detects whether Acronis Cyber Protect 17 for Windows is below fixed build 41186.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'
$fixedBuild = 41186

function Get-UninstallEntries {
    $paths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    $items = foreach ($p in $paths) {
        Get-ItemProperty -Path $p | Where-Object {
            $_.DisplayName -match 'Acronis Cyber Protect 17'
        }
    }

    return $items
}

function Get-BuildFromString([string]$s) {
    if ([string]::IsNullOrWhiteSpace($s)) { return $null }

    # Prefer the last 4-6 digit number in the string, which typically matches the build.

    $matches = [regex]::Matches($s, '(\d{4,6})')
    if ($matches.Count -gt 0) {
        return [int]$matches[$matches.Count - 1].Value
    }

    return $null
}

function Get-FileBuildHints {
    $candidatePaths = @(
        'C:\Program Files\Acronis',
        'C:\Program Files (x86)\Acronis'
    )

    foreach ($base in $candidatePaths) {
        if (Test-Path $base) {
            $files = Get-ChildItem -Path $base -Recurse -Include *.exe,*.dll -ErrorAction SilentlyContinue | Select-Object -First 50
            foreach ($f in $files) {
                $ver = $f.VersionInfo.ProductVersion
                $b = Get-BuildFromString $ver
                if ($b) {
                    return $b
                }
            }
        }
    }

    return $null
}

$entries = Get-UninstallEntries

if (-not $entries -or $entries.Count -eq 0) {
    Write-Output 'UNKNOWN'
    exit 2
}

$detectedBuilds = @()
foreach ($entry in $entries) {
    $build = $null

    if ($entry.DisplayVersion) {
        $build = Get-BuildFromString $entry.DisplayVersion
    }

    if (-not $build -and $entry.PSChildName) {
        $build = Get-BuildFromString $entry.PSChildName
    }

    if ($build) {
        $detectedBuilds += $build
    }
}

if ($detectedBuilds.Count -eq 0) {
    $fallbackBuild = Get-FileBuildHints
    if ($fallbackBuild) {
        $detectedBuilds += $fallbackBuild
    }
}

if ($detectedBuilds.Count -eq 0) {
    Write-Output 'UNKNOWN'
    exit 2
}

$lowestBuild = ($detectedBuilds | Measure-Object -Minimum).Minimum

if ($lowestBuild -lt $fixedBuild) {
    Write-Output 'VULNERABLE'
    exit 1
}
else {
    Write-Output 'PATCHED'
    exit 0
}
07 · Bottom Line

If you remember one thing.

TL;DR
By Monday morning, pull an inventory of Windows systems running Acronis Cyber Protect 17 and flag anything below build 41186. This is a MEDIUM after reassessment, so there is no noisgate mitigation SLA — go straight to the 365-day remediation window; still, do not bury backup servers and management hosts in long-tail backlog. Patch those higher-value systems in the next normal maintenance cycle, then clear the remaining vulnerable Windows installs inside the noisgate remediation SLA of ≤365 days.

Sources

  1. NVD CVE-2026-28722
  2. Acronis advisory SEC-8481
  3. Acronis Cyber Protect 17 update UPD-2510-e871-9553
  4. CISA Known Exploited Vulnerabilities Catalog
  5. FIRST EPSS overview
  6. FIRST EPSS API documentation
  7. OpenCVE record
  8. JVNDB mirror entry
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.