CVE-2025-30413 is a vulnerability classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) found in Acronis Cyber Protect Cloud Agent across Linux, macOS, and Windows platforms. The flaw occurs because the agent fails to securely delete stored credentials after a protection plan revocation, leaving sensitive authentication data accessible on the system. This residual credential data can be exploited by an attacker with local high-level privileges to gain unauthorized access to the agent or related services, potentially compromising confidentiality. The vulnerability has a CVSS 3.0 base score of 4.4, indicating medium severity, with an attack vector requiring local access (AV:L), low attack complexity (AC:L), high privileges (PR:H), no user interaction (UI:N), and unchanged scope (S:U). The impact is primarily on confidentiality, with no direct effect on integrity or availability. No public exploits have been reported, and no patches are linked yet, though affected versions are identified as those before build 40497 for the Cloud Agent and before build 41186 for Cyber Protect 17. This vulnerability highlights a failure in secure credential lifecycle management within the agent software.

The primary impact of CVE-2025-30413 is unauthorized access to sensitive credentials stored by the Acronis Cyber Protect Cloud Agent after plan revocation. This can lead to confidentiality breaches, allowing attackers with local high privileges to potentially access backup data or management functions that rely on these credentials. Although the vulnerability does not affect data integrity or system availability directly, the exposure of credentials could facilitate further lateral movement or privilege escalation within an organization's environment. Organizations relying on Acronis Cyber Protect Cloud Agent for backup and protection services may face increased risk of insider threats or compromised endpoints if this vulnerability is exploited. The requirement for local high privileges limits remote exploitation but does not eliminate risk in environments where multiple users have elevated access or where endpoint compromise has already occurred.

To mitigate CVE-2025-30413, organizations should: 1) Monitor Acronis vendor announcements closely and apply patches or updates as soon as they are released for builds 40497 (Cloud Agent) and 41186 (Cyber Protect 17) or later. 2) Implement strict access controls to limit local administrative privileges on systems running affected Acronis agents, reducing the risk of credential exposure. 3) Regularly audit and revoke credentials and tokens associated with backup plans, ensuring no stale credentials remain. 4) Employ endpoint detection and response (EDR) solutions to monitor for suspicious local access or credential dumping activities. 5) Use encryption and secure storage mechanisms for credentials where possible, and verify that credential deletion processes are effective post-plan revocation. 6) Conduct periodic security reviews of backup and protection agent configurations to ensure compliance with least privilege principles. 7) Educate system administrators about the risks of credential persistence and the importance of timely plan revocation and cleanup.