CVE-2025-11790 is a vulnerability identified in the Acronis Cyber Protect Cloud Agent, a widely used backup and cybersecurity solution deployed across Linux, macOS, and Windows platforms. The vulnerability is categorized under CWE-732, which involves incorrect permission assignment for critical resources. Specifically, the issue arises because the agent fails to delete stored credentials after a plan revocation event. When a backup or protection plan is revoked, the agent should securely remove all associated credentials to prevent unauthorized reuse. However, in affected versions prior to build 41124, these credentials remain on the system. This residual credential data can be exploited by an attacker who has already obtained high-level privileges on the host system to access sensitive information or potentially escalate their access further. The CVSS v3.0 score of 4.4 reflects a medium severity, primarily due to the requirement for local access with high privileges (PR:H) and no user interaction (UI:N). The vulnerability impacts confidentiality (C:H) but does not affect integrity or availability. While no public exploits have been reported, the persistence of credentials on disk represents a significant security risk, especially in environments where multiple users or administrators share access or where systems are not tightly controlled. The vulnerability affects all major operating systems supported by the agent, increasing the scope of potential impact. The lack of a patch link suggests that remediation involves upgrading to build 41124 or later, where this issue is presumably fixed.

The primary impact of CVE-2025-11790 is the potential compromise of sensitive credentials stored by the Acronis Cyber Protect Cloud Agent after plan revocation. This can lead to unauthorized access to backup or protection services, exposing confidential data and potentially allowing lateral movement within an organization's network. Although exploitation requires high privilege local access, the vulnerability increases the risk surface by retaining credentials that should have been securely removed. This can facilitate insider threats or post-compromise persistence by attackers. Organizations relying on Acronis Cyber Protect Cloud Agent for critical backup and cybersecurity functions may face data confidentiality breaches, undermining trust in their data protection strategies. The vulnerability does not directly impact system integrity or availability, but the exposure of credentials could indirectly lead to further attacks or data exfiltration. Given the cross-platform nature of the agent, the threat spans diverse IT environments, including enterprise servers, workstations, and cloud instances. The absence of known exploits reduces immediate risk but does not eliminate the potential for future targeted attacks, especially in sectors with high-value data or regulatory compliance requirements.

To mitigate CVE-2025-11790, organizations should prioritize upgrading the Acronis Cyber Protect Cloud Agent to build 41124 or later, where the credential deletion issue is resolved. Until the update is applied, implement strict access controls to limit local high-privilege access to trusted administrators only, reducing the risk of credential exposure. Regularly audit and monitor systems for unauthorized access attempts and credential misuse. Employ endpoint detection and response (EDR) solutions to detect suspicious activities related to credential access or privilege escalation. Additionally, enforce strong credential management policies, including the use of unique, short-lived credentials and multi-factor authentication where supported. Consider isolating backup agents in segmented network zones to minimize lateral movement opportunities. Finally, maintain comprehensive logging of plan revocations and credential storage events to facilitate incident response and forensic analysis if needed.