CVE-2025-11791 is a vulnerability classified under CWE-862 (Insufficient Authorization) found in Acronis Cyber Protect 17 and Acronis Cyber Protect Cloud Agent across Linux, macOS, and Windows platforms, specifically in versions before build 41186 and 41124 respectively. The flaw allows users with limited privileges (low-level authenticated users) to bypass authorization checks, enabling them to manipulate sensitive information within the product. While the vulnerability does not disclose confidential data directly, it compromises data integrity by permitting unauthorized modifications. The attack vector is local (AV:L), requiring the attacker to have some level of access to the system but no user interaction is needed (UI:N). The CVSS v3.0 base score is 5.5, reflecting medium severity due to the ease of exploitation with low privileges and the impact on integrity, but no impact on confidentiality or availability. No known exploits have been reported in the wild, and no official patches have been linked yet, indicating that the vulnerability is newly disclosed or under vendor remediation. Given that Acronis Cyber Protect is widely deployed in enterprise environments for backup and cybersecurity management, this vulnerability could be leveraged by malicious insiders or attackers who have gained limited access to escalate their capabilities and manipulate backup or security data, potentially undermining system reliability and recovery processes.

The primary impact of CVE-2025-11791 is on the integrity of sensitive information managed by Acronis Cyber Protect products. Unauthorized modification of backup or security data could lead to corrupted backups, misleading security alerts, or compromised recovery processes, which in turn can disrupt business continuity and incident response. Organizations relying on these products for critical data protection may face increased risk of undetected tampering or sabotage from low-privileged users or attackers with limited access. Although confidentiality and availability are not directly affected, the integrity breach can have cascading effects on trustworthiness of backup data and security posture. The vulnerability's local attack vector limits remote exploitation but does not eliminate risk in environments where multiple users have access or where attackers have gained foothold through other means. The absence of known exploits reduces immediate threat but does not preclude future exploitation, especially in targeted attacks against enterprises using Acronis solutions.

Until official patches are released, organizations should implement strict access control policies to limit local user privileges on systems running Acronis Cyber Protect 17 and Cloud Agent. Employ role-based access controls to ensure only trusted administrators have modification rights. Monitor logs and audit trails for unusual activities related to backup and security data manipulation. Consider isolating backup management systems from general user environments to reduce attack surface. Regularly review and update endpoint security measures to prevent unauthorized local access. Once patches become available, prioritize their deployment across all affected platforms. Additionally, conduct internal security awareness training to highlight risks of privilege misuse and enforce strong authentication mechanisms to reduce risk of unauthorized local access. Engage with Acronis support channels for updates on remediation and best practices.