CVE-2025-30408 is a vulnerability classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) affecting Acronis Cyber Protect Cloud Agent and Acronis Cyber Protect 16 on Windows platforms. The root cause is insecure folder permissions that allow a local attacker with limited privileges to manipulate or replace files or directories critical to the software’s operation. This improper permission configuration can be leveraged to escalate privileges from a low-privileged user to a higher privileged context, potentially SYSTEM or administrator level. The vulnerability requires local access, meaning an attacker must already have some foothold on the system, and user interaction is necessary, increasing the attack complexity. The CVSS v3.0 vector indicates local attack vector (AV:L), high attack complexity (AC:H), low privileges required (PR:L), user interaction required (UI:R), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). No public exploits or active exploitation campaigns have been reported yet. The affected versions are those prior to build 39904 for the Cloud Agent and build 39938 for Cyber Protect 16, both Windows-only. The vulnerability was reserved in March 2025 and published in April 2025. Given the critical role of Acronis products in backup and cyber protection, exploitation could allow attackers to disable or manipulate backup processes, exfiltrate sensitive data, or disrupt system availability.

The impact of CVE-2025-30408 is significant for organizations relying on Acronis Cyber Protect Cloud Agent and Cyber Protect 16 on Windows. Successful exploitation allows a local attacker to escalate privileges, potentially gaining administrative or SYSTEM-level access. This can lead to full compromise of the affected system, including unauthorized access to sensitive data, tampering with backup and recovery processes, and disruption or destruction of data availability. Since these products are often deployed in enterprise environments for critical backup and cyber protection, exploitation could undermine an organization's data integrity and recovery capabilities, increasing the risk of ransomware or data loss incidents. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk, especially in environments where insider threats or compromised endpoints exist. The absence of known exploits in the wild suggests limited immediate risk but highlights the importance of timely patching to prevent future attacks.

Organizations should prioritize updating Acronis Cyber Protect Cloud Agent to build 39904 or later and Acronis Cyber Protect 16 to build 39938 or later once patches are released. Until patches are available, administrators should audit and tighten folder permissions related to Acronis software directories to ensure only authorized users and system processes have access. Implement strict local user privilege management to minimize the number of users with local access and reduce the attack surface. Employ endpoint detection and response (EDR) solutions to monitor for suspicious local privilege escalation attempts. Regularly review and restrict user interaction capabilities, especially on systems running vulnerable versions. Additionally, maintain robust backup and recovery plans independent of the affected software to mitigate potential impact. Network segmentation and least privilege principles should be enforced to limit lateral movement from compromised local accounts.