CVE-2025-9578 is a high-severity local privilege escalation vulnerability affecting the Acronis Cyber Protect Cloud Agent for Windows versions prior to build 40734. The root cause of this vulnerability is insecure folder permissions (classified under CWE-732: Incorrect Permission Assignment for Critical Resource). Specifically, the agent's installation or operational directories have permissions that allow unauthorized local users with limited privileges to modify or replace files or executables. This misconfiguration enables an attacker with low-level access to escalate their privileges to higher levels, potentially SYSTEM or administrator-level, by exploiting these writable directories. The vulnerability does not require user interaction and has a low attack complexity, but it does require local access with some privileges (PR:L). The CVSS v3.0 score of 7.8 reflects the high impact on confidentiality, integrity, and availability, as an attacker could gain full control over the affected system. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the widespread use of Acronis Cyber Protect Cloud Agent in enterprise environments for backup and endpoint protection. The insecure folder permissions could allow attackers to tamper with backup processes, inject malicious code, or disable security features, undermining the overall security posture of the affected systems.

For European organizations, this vulnerability presents a critical risk, especially for those relying on Acronis Cyber Protect Cloud Agent for data protection and endpoint security. Successful exploitation could lead to unauthorized access to sensitive data, disruption of backup and recovery operations, and potential lateral movement within corporate networks. This is particularly concerning for sectors with stringent data protection requirements such as finance, healthcare, and government agencies in Europe. The compromise of backup agents could also facilitate ransomware attacks or data exfiltration, severely impacting business continuity and regulatory compliance under GDPR. Since the vulnerability requires local access, insider threats or attackers who have already gained initial footholds could leverage this flaw to escalate privileges and deepen their control over critical infrastructure.

Organizations should prioritize updating the Acronis Cyber Protect Cloud Agent to build 40734 or later, where this vulnerability is addressed. In the absence of an immediate patch, administrators should audit and harden folder permissions associated with the agent’s installation and operational directories, ensuring that only authorized system accounts have write access. Implementing strict access control lists (ACLs) and leveraging Windows security policies to restrict modification rights can mitigate exploitation risks. Additionally, monitoring file integrity and employing endpoint detection and response (EDR) solutions to detect unusual privilege escalation attempts can provide early warning. Limiting local user privileges and enforcing the principle of least privilege across endpoints will reduce the attack surface. Regularly reviewing and updating security configurations for backup agents and conducting internal penetration testing focused on privilege escalation vectors are also recommended.