CVE-2025-48961 is a high-severity local privilege escalation vulnerability affecting Acronis Cyber Protect 16 on Windows platforms prior to build 39938. The root cause is insecure folder permissions (classified under CWE-732: Incorrect Permission Assignment for Critical Resource), which allow a local attacker with limited privileges to escalate their rights on the affected system. Specifically, the vulnerability arises because certain folders used by the Acronis Cyber Protect 16 software are configured with overly permissive access controls. This misconfiguration enables an attacker who already has some level of access (local user with limited privileges) to manipulate files or directories in these folders, potentially replacing or injecting malicious components that the software executes with elevated privileges. The CVSS v3.0 base score of 7.3 reflects a scenario where the attack vector is local (AV:L), the attack complexity is low (AC:L), privileges required are low (PR:L), and user interaction is required (UI:R). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), indicating that a successful exploit could lead to full system compromise, including unauthorized data access, modification, or disruption of services. No known exploits are currently reported in the wild, and no patch links are provided yet, suggesting that the vendor may still be preparing or rolling out fixes. However, the vulnerability is publicly disclosed and should be treated with urgency given the critical nature of the affected product, which is widely used for backup, recovery, and cybersecurity protection in enterprise environments.

For European organizations, this vulnerability poses a significant risk due to the widespread adoption of Acronis Cyber Protect 16 in sectors such as finance, healthcare, manufacturing, and government. Exploitation could allow attackers to gain elevated privileges on critical systems, bypass security controls, and potentially deploy ransomware or other malware with administrative rights. This can lead to data breaches involving sensitive personal and corporate data, disruption of business continuity, and non-compliance with GDPR and other regulatory frameworks. The fact that the attack requires local access limits remote exploitation but does not eliminate risk, as insider threats or compromised user accounts could be leveraged. Additionally, organizations relying on Acronis for backup integrity may face risks of backup tampering or destruction, severely impacting disaster recovery capabilities. The high impact on confidentiality, integrity, and availability underscores the potential for severe operational and reputational damage.

European organizations should immediately audit and restrict folder permissions related to Acronis Cyber Protect 16 installations to ensure that only authorized system accounts have write access. Until an official patch is released, applying strict access control lists (ACLs) on the affected directories can mitigate exploitation risk. Organizations should also enforce the principle of least privilege for all local users and service accounts, minimizing the number of users with local access. Monitoring and logging of file system changes in the Acronis installation directories should be enabled to detect suspicious activity. Additionally, organizations should implement endpoint detection and response (EDR) solutions capable of identifying privilege escalation attempts. Regularly updating Acronis software to the latest builds once patches are available is critical. Finally, conducting internal security awareness training to reduce the risk of social engineering attacks that could lead to local access is recommended.