CVE-2025-9578 is a local privilege escalation vulnerability identified in the Acronis Cyber Protect Cloud Agent for Windows, affecting versions prior to build 40734. The root cause is insecure folder permissions (classified under CWE-732), which allow a user with limited privileges to modify or replace files or directories that the agent relies upon for its operation. This misconfiguration can be exploited by an attacker who already has local access to the system to gain elevated privileges, potentially system or administrative level, without requiring user interaction. The vulnerability has a CVSS v3.0 base score of 7.8, indicating high severity, with attack vector local (AV:L), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (all high). Although no public exploits have been reported yet, the vulnerability poses a significant risk because it can allow attackers to bypass security controls, manipulate backup or protection processes, and compromise system integrity. The affected product, Acronis Cyber Protect Cloud Agent, is widely used in enterprise environments for backup and cyber protection, making this vulnerability relevant for organizations relying on this software. The lack of a patch link suggests that remediation may require updating to a fixed build once released or applying manual permission hardening. The vulnerability was published on August 28, 2025, and is currently in a published state with no known active exploitation.

The impact of CVE-2025-9578 is substantial for organizations using Acronis Cyber Protect Cloud Agent on Windows systems. Successful exploitation allows a local attacker with limited privileges to escalate to higher privileges, potentially gaining administrative or SYSTEM-level access. This elevated access can lead to full system compromise, including unauthorized access to sensitive backup data, modification or deletion of backup files, disruption of backup and recovery processes, and the ability to install persistent malware or backdoors. The compromise of backup agents is particularly critical because backups are trusted sources for recovery; if attackers manipulate these, they can undermine incident response and disaster recovery efforts. The vulnerability affects confidentiality, integrity, and availability, making it a comprehensive threat. Organizations with large deployments of Acronis agents, especially managed service providers and enterprises with critical data protection needs, face increased risk. Although exploitation requires local access, insider threats or attackers who gain initial footholds can leverage this vulnerability to escalate privileges and move laterally within networks, amplifying the threat.

To mitigate CVE-2025-9578, organizations should take the following specific actions: 1) Monitor Acronis communications and promptly apply updates or patches once a fixed build beyond 40734 is released. 2) In the interim, audit and harden folder and file permissions related to the Acronis Cyber Protect Cloud Agent installation directories to ensure that only trusted system accounts and administrators have write access, preventing unauthorized modification. 3) Restrict local user permissions and employ the principle of least privilege to limit the number of users who can log in locally or execute code on systems running the agent. 4) Implement endpoint detection and response (EDR) solutions to monitor for suspicious local privilege escalation attempts and anomalous file system changes within Acronis directories. 5) Conduct regular security awareness training to reduce insider threat risks and ensure users understand the importance of safeguarding privileged access. 6) Consider isolating backup agents on dedicated systems or virtual machines with strict access controls to reduce exposure. 7) Maintain comprehensive logging and auditing of local privilege escalations and file permission changes to enable rapid detection and response. These measures, combined with timely patching, will reduce the risk posed by this vulnerability.