CVE-2025-30407 is a local privilege escalation vulnerability identified in the Acronis Cyber Protect Cloud Agent for Windows systems prior to build 39713. The root cause is a binary hijacking issue classified under CWE-426, which occurs when an application loads and executes a binary or DLL from an untrusted or improperly validated location. In this case, the Acronis agent may load malicious binaries placed by a local attacker with limited privileges, allowing them to execute code with elevated privileges. The vulnerability requires local access, and the attacker must have at least low-level privileges on the system. The attack complexity is high because the attacker must manipulate the environment to hijack the binary load process successfully. No user interaction is needed once local access is obtained. The CVSS v3.0 base score is 6.3, reflecting medium severity, with high impact on confidentiality and integrity but no impact on availability. The vulnerability does not have a publicly available patch at the time of reporting, and no known exploits have been observed in the wild. This vulnerability could be leveraged by attackers to gain administrative control over affected systems, potentially leading to further compromise of sensitive data and system configurations.

The vulnerability allows a local attacker with limited privileges to escalate their rights to higher privilege levels, potentially administrative. This can lead to unauthorized access to sensitive data, modification of system configurations, and disabling or tampering with security controls provided by the Acronis agent. Organizations relying on Acronis Cyber Protect Cloud Agent for endpoint protection and backup integrity may face increased risk of compromise if this vulnerability is exploited. The impact is significant in environments where local user accounts are shared or where attackers can gain initial foothold with low privileges. Although availability is not directly affected, the confidentiality and integrity of protected data and system operations are at risk. This could facilitate further lateral movement, persistence, and data exfiltration within enterprise networks.

To mitigate this vulnerability, organizations should monitor for and apply patches or updated builds from Acronis as soon as they become available, specifically versions at or beyond build 39713. Until patches are released, implement strict access controls to limit local user privileges and prevent untrusted users from writing to directories or locations where the Acronis agent loads binaries. Employ application whitelisting and binary integrity verification tools to detect and prevent unauthorized binary modifications or insertions. Regularly audit system file permissions and monitor for unusual file system changes in the agent’s installation and execution paths. Consider isolating critical systems running the agent to reduce the risk of local privilege escalation. Additionally, educate system administrators to recognize signs of binary hijacking attempts and maintain robust endpoint detection and response (EDR) capabilities to identify suspicious local activities.