CVE-2022-44746 is a vulnerability classified under CWE-200 (Information Exposure) affecting Acronis Cyber Protect Home Office for Windows versions prior to build 40107. The root cause of this vulnerability is insecure folder permissions, which can lead to the disclosure of sensitive information stored within these folders. Specifically, the application’s folder permissions are not properly restricted, allowing unauthorized local users with limited privileges to access potentially sensitive data. The vulnerability requires local access (Attack Vector: Local) and low privileges (Privileges Required: Low) but does require user interaction (User Interaction: Required). The CVSS v3.0 base score is 2.2, indicating a low severity level. The impact is limited to confidentiality (C:L), with no impact on integrity or availability. Exploitation complexity is high, meaning an attacker must overcome certain conditions to exploit the vulnerability. There are no known exploits in the wild, and no patches were explicitly linked in the provided information, though presumably, builds after 40107 address the issue. This vulnerability does not allow remote exploitation and does not affect system integrity or availability, but it could expose sensitive user data stored by the application to unauthorized local users, which could be leveraged for further attacks or privacy violations.

For European organizations, the primary impact of CVE-2022-44746 is the potential unauthorized disclosure of sensitive backup or cybersecurity-related data stored by Acronis Cyber Protect Home Office on Windows endpoints. This could include personal data, backup configurations, or other confidential information. While the vulnerability requires local access and user interaction, it poses a risk in environments where multiple users share systems or where attackers have gained limited local access through other means (e.g., phishing, social engineering, or lateral movement after initial compromise). The confidentiality breach could lead to privacy violations under GDPR if personal data is exposed, potentially resulting in regulatory penalties and reputational damage. However, since the vulnerability does not affect system integrity or availability, it is unlikely to cause operational disruption. The risk is more pronounced in organizations with less strict endpoint access controls or in shared workstation environments. Overall, the impact is moderate but should not be ignored, especially in sectors handling sensitive personal or business data.

To mitigate CVE-2022-44746, European organizations should: 1) Ensure that all installations of Acronis Cyber Protect Home Office are updated to build 40107 or later, where the folder permission issues are resolved. 2) Review and harden file system permissions on folders used by Acronis products to restrict access strictly to authorized users and system processes only. 3) Implement strict endpoint access controls, including limiting local user accounts and enforcing the principle of least privilege to reduce the risk of unauthorized local access. 4) Monitor and audit local user activities on endpoints running Acronis software to detect any unusual access patterns. 5) Educate users about the risks of local privilege escalation and the importance of not interacting with suspicious prompts or software. 6) In multi-user environments, consider isolating user profiles or using virtualization/containerization to limit cross-user data exposure. These steps go beyond generic patching advice by emphasizing permission audits, endpoint hardening, and user behavior monitoring specific to the nature of this vulnerability.