CVE-2025-11791 is a vulnerability identified in Acronis Cyber Protect 17 and Acronis Cyber Protect Cloud Agent across Linux, macOS, and Windows platforms prior to builds 41186 and 41124 respectively. The root cause is insufficient authorization checks (CWE-862), which means that the software fails to properly verify whether a user has the necessary permissions before allowing access to certain functions or data. This flaw enables users with low-level privileges (PR:L) to manipulate sensitive information, impacting the integrity of the system. The vulnerability does not affect confidentiality or availability, and no user interaction is required to exploit it. The CVSS 3.0 base score is 5.5 (medium), reflecting the local attack vector, low complexity, and the requirement of low privileges but no user interaction. Although no known exploits are currently reported in the wild, the vulnerability poses a risk to organizations using these Acronis products for backup and cybersecurity management, as unauthorized manipulation of data could undermine system trustworthiness and recovery processes. The vulnerability affects multiple operating systems, increasing the scope of potential impact. The lack of available patches at the time of reporting necessitates immediate mitigation through access control and monitoring.

The primary impact of CVE-2025-11791 is on the integrity of sensitive information managed by Acronis Cyber Protect 17 and its Cloud Agent. Attackers with low-level privileges on affected systems can manipulate data or configurations without proper authorization, potentially leading to corrupted backups, altered security settings, or compromised recovery processes. This undermines the reliability of backup and cybersecurity solutions, which are critical for organizational resilience. While confidentiality and availability are not directly affected, the integrity breach can facilitate further attacks or operational disruptions. Organizations relying heavily on Acronis products for data protection may face increased risk of data tampering, compliance violations, and operational downtime. The requirement for local access limits remote exploitation but does not eliminate risk, especially in environments with multiple users or inadequate privilege separation. The absence of known exploits suggests limited current threat but also highlights the need for proactive mitigation before attackers develop exploit code.

1. Apply patches from Acronis immediately once they become available to address the authorization check flaws. 2. Until patches are released, enforce strict access controls to limit local user privileges on systems running Acronis Cyber Protect 17 and Cloud Agent. 3. Implement role-based access control (RBAC) to ensure users have only the minimum necessary permissions. 4. Monitor system logs and audit trails for unusual access or modification attempts related to Acronis software components. 5. Use endpoint protection solutions to detect and prevent unauthorized local privilege escalations. 6. Regularly review and update security policies to restrict local access to trusted personnel only. 7. Educate system administrators and users about the risks of local privilege misuse and the importance of maintaining secure configurations. 8. Consider network segmentation to isolate critical backup and cybersecurity infrastructure from general user environments. 9. Maintain up-to-date backups stored securely offline to recover from potential data integrity compromises.