← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-28727 · CWE-276 · Disclosed 2026-03-06

Local privilege escalation due to insecure Unix socket permissions

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a valet key left in the ignition, not a burglar opening your front door

CVE-2026-28727 is a local privilege escalation in Acronis macOS products caused by overly permissive Unix socket permissions. The affected ranges called out by Acronis/NVD are Acronis Cyber Protect 17 (macOS) before build 41186, Acronis Cyber Protect Cloud Agent (macOS) before build 41124, and later-added Acronis True Image (macOS) before build 42902. In plain English: a low-privileged local user can talk to a privileged Acronis service over a socket that should have been locked down more tightly.

The vendor's 7.8/HIGH is technically fair in CVSS terms because successful exploitation can hand over root-equivalent impact on the box. Operationally, though, this is less urgent than the label implies: it requires existing local code execution plus a logged-in low-priv account, only affects macOS endpoints with specific Acronis builds, and the blast radius is one host at a time. With no KEV listing, no public exploitation evidence, and very low EPSS, this lands better as MEDIUM for enterprise patch scheduling.

"A solid local privesc, but it is still post-compromise and host-local on a narrow macOS Acronis subset"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land a low-privileged local foothold

The attacker first needs code execution as a non-admin user on a vulnerable macOS endpoint. In practice that usually means malware already running under the user session, a malicious local user, or a post-phish implant. Tooling at this stage is whatever delivered the foothold; this CVE does not provide initial access.
Conditions required:
  • Target is a macOS host
  • Affected Acronis product and vulnerable build are installed
  • Attacker already has a local user context or code execution
Where this breaks in practice:
  • This is post-initial-access by definition
  • macOS is only a subset of most enterprise fleets
  • Many enterprise Macs are single-user corporate devices, not shared multi-user systems
Detection/coverage: Vulnerability scanners can flag vulnerable Acronis versions, but they will not prove exploitability unless they also inspect socket ownership and mode bits.
STEP 02

Find the exposed Unix socket

With local access, the attacker enumerates Acronis-owned Unix domain sockets and their permissions using tools like lsof -U, find, or ls -l. The exploit condition is a socket reachable by an unprivileged account that proxies commands into a privileged service.
Conditions required:
  • Acronis service creates the vulnerable socket on disk
  • Socket path is discoverable by the local user
  • Socket mode bits or ownership allow access
Where this breaks in practice:
  • Defenders can sometimes reduce exposure if the socket lives in a protected directory or inherited permissions differ
  • Some product configurations may not expose the same local service surface
Detection/coverage: EDR generally has weak built-in coverage for Unix socket permission misconfigurations; host-based audits or custom checks are better.
STEP 03

Abuse the privileged IPC channel

The attacker connects with a local socket client such as nc -U, socat, or a bespoke script and sends the request sequence the Acronis service trusts. If the service does not perform a second authorization check beyond socket reachability, the local user can coerce privileged actions.
Conditions required:
  • Acronis service accepts attacker-controlled input over the socket
  • No secondary authentication blocks requests
  • The service runs with elevated privileges
Where this breaks in practice:
  • An exploit still needs product-specific request formatting, so this is not as turnkey as a one-packet network RCE
  • No public GitHub PoC surfaced in the sources reviewed as of 2026-05-30
Detection/coverage: Behavioral EDR may catch suspicious child processes or file changes after privilege escalation, but the socket interaction itself is easy to miss.
STEP 04

Escalate to root on that host

Once the privileged service performs the attacker's requested operation, the attacker can gain elevated execution or modify protected resources. The practical outcome is host-local privilege escalation: persistence, credential theft from that Mac, security tool tampering, or lateral movement staging from the newly privileged endpoint.
Conditions required:
  • The requested privileged action yields code execution or equivalent control
  • macOS protections do not independently block the post-escalation action
Where this breaks in practice:
  • Impact is generally confined to a single endpoint rather than fleet-wide compromise
  • Modern EDR can still stop noisy post-root behavior even if the escalation itself succeeds
Detection/coverage: Look for unexpected privileged process launches from Acronis parents, permission changes under protected paths, and sudden access to secrets/keychains after an Acronis process interaction.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found in the reviewed sources as of 2026-05-30. Acronis update pages state they saw no signs of active exploitation.
KEV statusNot listed in CISA KEV in the sources reviewed; that materially lowers urgency versus remotely exploitable enterprise software defects.
PoC availabilityNo public GitHub PoC surfaced in reviewed searches for CVE-2026-28727. That is an inference from source review, not proof no private exploit exists.
EPSSUser-supplied EPSS is 0.00016. That is effectively near-floor probability and matches the operational story: narrow reach, local-only exploitation.
CVSS vectorCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H — the important part is AV:L/PR:L: attacker already needs a foothold and a local account.
Affected versionsAcronis Cyber Protect 17 (macOS) < 41186, Acronis Cyber Protect Cloud Agent (macOS) < 41124, Acronis True Image (macOS) < 42902.
Fixed versionsUpgrade to at least Cyber Protect 17 build 41186, Cloud Agent build 41124, and True Image build 42902. This is a vendor build-number fix, not a distro backport case.
Exposure/scanning realityInternet exposure data from Shodan/Censys/FOFA is largely irrelevant by design here because exploitation is via local Unix sockets, not a remotely reachable network service. That is an inference from the CVSS vector and flaw type.
Disclosure timelinePublished by the CNA on 2026-03-05/2026-03-06 depending on feed timezone; NVD shows publication on 2026-03-05 and later modification on 2026-04-02.
Reporter / creditAcronis is the CNA. Search-result evidence for the Acronis update page attributes the issue to @aiqitut.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.8/10)

The decisive factor is attacker position requirement: this bug is only useful after an adversary already has local code execution on a vulnerable macOS endpoint. That sharply narrows both reachable population and immediate blast radius, so the vendor's HIGH overstates enterprise patch urgency.

HIGH Affected product scope and fixed builds
HIGH Downgrade based on local-only, post-compromise attacker position
MEDIUM Absence of public PoC and public exploitation evidence as of 2026-05-30

Why this verdict

  • Start from 7.8/HIGH, then subtract for attacker position: AV:L/PR:L means the attacker already has local execution and a user context. That is post-initial-access, not an entry-point bug.
  • Subtract for reachable population: only macOS endpoints with specific Acronis products and vulnerable builds are in scope. That is a much smaller exposed set than a cross-platform or remotely reachable service flaw.
  • Subtract for blast radius: exploitation yields privilege on one host, not unauthenticated domain-wide or internet-scale compromise. Even if impact on that host is severe, the chain does not naturally fan out.
  • Keep it above LOW because the exploit path is simple once local: low complexity, no user interaction, and high CIA impact on the endpoint make this a meaningful post-exploitation amplifier.
  • No external amplifier: no KEV, no public exploitation evidence, and extremely low EPSS mean there is no threat-intel reason to preserve the vendor HIGH.

Why not higher?

To justify HIGH here, you would want an amplifier like active exploitation, broad product prevalence, or a path from unauthenticated remote access to impact. None of those are present in the reviewed sources. This is a local macOS privesc requiring an existing foothold, which is exactly the kind of compounding friction that should drag the score down.

Why not lower?

This is still a real privilege escalation, not a cosmetic misconfiguration. Once an attacker has a user-level foothold, the path to root appears straightforward and can defeat the boundary between ordinary user compromise and full host compromise. On shared Macs, developer endpoints, or already-compromised hosts, that matters enough to stay above LOW.

05 · Compensating Control

What to do — in priority order.

  1. Audit Acronis installs on macOS — Identify Macs running the affected products and build numbers, then prioritize the subset exposed to higher local-user risk such as shared workstations, lab Macs, and developer endpoints. For a MEDIUM verdict there is no mitigation SLA, so use this as scoping work before normal-cycle remediation.
  2. Reduce local user exposure — Limit interactive logons to managed corporate users, remove stale local accounts, and avoid shared non-admin accounts on vulnerable Macs. This directly attacks the main prerequisite: a low-privileged local user context.
  3. Watch Acronis parent-child behavior — Deploy or tune EDR analytics for unusual privileged process launches, file writes to protected locations, and permission changes originating from Acronis processes. Because the Unix socket interaction itself may be quiet, catching the post-escalation behavior is the practical control.
  4. Harden socket/file permissions where validated — If your packaging and vendor support model allow it, validate ownership and mode bits on Acronis-created sockets and containing directories, and restore restrictive permissions through managed configuration. Treat this as a temporary guardrail, not a substitute for upgrading.
  5. Segment admin rights on Macs — Use least privilege, admin elevation workflows, and strong monitoring around local privilege grants. This does not stop the vulnerable socket itself, but it reduces attacker payoff and improves detection around attempted privilege transitions.
What doesn't work
  • A WAF, NGFW, or internet perimeter control will not help because the exploit path is local IPC over Unix sockets, not inbound network traffic.
  • Password rotation alone does not remediate the socket permission flaw; once code is already running as a local user, the vulnerable trust boundary is still there.
  • Only blocking external exposure scans is irrelevant here because scanners like Shodan/Censys cannot see a host-local Unix socket vulnerability.
06 · Verification

Crowdsourced verification payload.

Run this on the target macOS host from Terminal or through your RMM/MDM shell. Example: bash acronis_cve_2026_28727_check.sh; no root is required for standard app-bundle checks, though elevated rights may help if your Acronis install paths are unusually locked down.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/bin/bash
# CVE-2026-28727 verification for macOS Acronis products
# Outputs: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

found_any=0
unknown_any=0
vuln_any=0

# Compare two integer build numbers: returns 0 if $1 < $2
lt_build() {
  local a="$1" b="$2"
  [[ "$a" =~ ^[0-9]+$ ]] || return 1
  [[ "$b" =~ ^[0-9]+$ ]] || return 1
  (( a < b ))
}

# Read CFBundleVersion from an app bundle
get_bundle_build() {
  local app="$1"
  local plist="$app/Contents/Info.plist"
  local v=""

  if [[ -f "$plist" ]]; then
    v=$(/usr/libexec/PlistBuddy -c 'Print :CFBundleVersion' "$plist" 2>/dev/null || true)
    if [[ -z "$v" ]]; then
      v=$(defaults read "$app/Contents/Info" CFBundleVersion 2>/dev/null || true)
    fi
  fi
  echo "$v"
}

check_product() {
  local label="$1"
  local pattern="$2"
  local fixed_build="$3"
  local paths=()
  local build=""
  local matched=0

  while IFS= read -r p; do
    paths+=("$p")
  done < <(find /Applications "$HOME/Applications" /Library/Application\ Support -maxdepth 4 \( -iname "$pattern" -o -iname "$pattern.app" \) 2>/dev/null | sort -u)

  for app in "${paths[@]}"; do
    matched=1
    found_any=1
    build=$(get_bundle_build "$app")

    if [[ -z "$build" ]]; then
      echo "UNKNOWN: $label found at $app but build could not be read"
      unknown_any=1
      continue
    fi

    if lt_build "$build" "$fixed_build"; then
      echo "VULNERABLE: $label at $app build $build < fixed build $fixed_build"
      vuln_any=1
    else
      echo "PATCHED: $label at $app build $build >= fixed build $fixed_build"
    fi
  done

  return 0
}

# Product checks based on vendor/NVD affected ranges
check_product "Acronis Cyber Protect 17 (macOS)" "*Cyber Protect*" "41186"
check_product "Acronis Cyber Protect Cloud Agent (macOS)" "*Cloud Agent*" "41124"
check_product "Acronis True Image (macOS)" "*True Image*" "42902"

if (( found_any == 0 )); then
  echo "UNKNOWN: No matching Acronis macOS product paths found"
  exit 2
fi

if (( vuln_any == 1 )); then
  echo "VULNERABLE"
  exit 1
fi

if (( unknown_any == 1 )); then
  echo "UNKNOWN"
  exit 2
fi

echo "PATCHED"
exit 0
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat this like an emergency fleet-wide fire drill unless you already have evidence of local compromise on vulnerable Macs. Use your next cycle to inventory Acronis macOS installs, validate build numbers, and remediate vulnerable endpoints within the noisgate remediation SLA of 365 days; there is no noisgate mitigation SLA — go straight to the 365-day remediation window. In practice, patch the higher-risk slice first: shared-user Macs, developer endpoints, and any host where EDR already shows suspicious local activity, because this CVE is a strong post-compromise privilege escalator rather than an initial-access vector.

Sources

  1. NVD CVE-2026-28727
  2. Acronis advisory SEC-9408
  3. Acronis True Image build 42902 update page
  4. CISA Known Exploited Vulnerabilities Catalog
  5. FIRST EPSS
  6. CVE.org record
  7. SentinelOne vulnerability database entry
  8. Vulners record
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.