CVE-2025-30408 is a local privilege escalation vulnerability identified in Acronis Cyber Protect Cloud Agent and Acronis Cyber Protect 16 for Windows platforms. The root cause of this vulnerability is insecure folder permissions (classified under CWE-732: Incorrect Permission Assignment for Critical Resource), which allow a local attacker with limited privileges to escalate their rights on the affected system. Specifically, the vulnerability arises because certain folders used by the Acronis agent are not properly secured, enabling an attacker to manipulate files or directories in a way that can lead to execution of arbitrary code or modification of critical files with elevated privileges. This vulnerability affects versions of Acronis Cyber Protect Cloud Agent prior to build 39904 and Acronis Cyber Protect 16 prior to build 39938. The CVSS v3.0 base score is 6.7, indicating a medium severity level. The vector string (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) reveals that the attack requires local access (AV:L), high attack complexity (AC:H), low privileges (PR:L), and user interaction (UI:R). The scope is unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No known exploits are currently in the wild, and no official patches or mitigation links have been published at the time of this report. This vulnerability is significant because Acronis Cyber Protect products are widely used in enterprise environments for backup, recovery, and cybersecurity protection, meaning that exploitation could compromise critical systems and data.

For European organizations, this vulnerability poses a considerable risk, especially for enterprises relying on Acronis Cyber Protect Cloud Agent or Acronis Cyber Protect 16 for their backup and cybersecurity infrastructure. Successful exploitation could allow an attacker with local access—such as an insider threat or a user who has gained limited access through other means—to escalate privileges and gain administrative control over affected systems. This could lead to unauthorized access to sensitive data, disruption of backup and recovery operations, and potential deployment of further malware or ransomware. Given the high impact on confidentiality, integrity, and availability, organizations could face data breaches, operational downtime, and compliance violations under regulations such as GDPR. The requirement for user interaction and local access somewhat limits remote exploitation, but in environments where multiple users have access or where attackers have already gained footholds, the risk remains significant. The absence of known exploits in the wild currently reduces immediate threat levels but does not eliminate the risk of future exploitation once details become more widely known.

European organizations should prioritize upgrading affected Acronis Cyber Protect Cloud Agent and Acronis Cyber Protect 16 installations to versions at or beyond build 39904 and 39938 respectively as soon as official patches are released. Until patches are available, organizations should implement strict access controls to limit local user privileges, especially on systems running these Acronis products. Regularly audit folder and file permissions related to Acronis installations to ensure they adhere to the principle of least privilege. Employ endpoint detection and response (EDR) solutions to monitor for suspicious local privilege escalation attempts and unusual file system modifications. Additionally, enforce multi-factor authentication and robust user activity monitoring to detect and prevent unauthorized local access. Network segmentation can also help contain potential compromises. Finally, maintain up-to-date backups stored offline or in immutable storage to ensure recovery capability in case of compromise.