CVE-2026-28711 is a local privilege escalation vulnerability identified in Acronis Cyber Protect 17 for Windows systems before build 41186. The root cause is DLL hijacking, classified under CWE-427, where the software improperly loads a DLL from an untrusted location. This allows a local attacker with limited privileges to place a malicious DLL in a location where the application loads it, thereby executing arbitrary code with elevated privileges. The vulnerability affects confidentiality and integrity by enabling unauthorized access and modification of sensitive data or system configurations. The CVSS 3.0 score of 6.3 reflects a medium severity, with attack vector local (AV:L), attack complexity high (AC:H), privileges required low (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H) but no impact on availability (A:N). Exploitation requires local access and some conditions to be met, such as the ability to write files to specific directories. No public exploits or active exploitation have been reported to date. The vulnerability is significant because Acronis Cyber Protect is widely used in enterprise environments for backup and cybersecurity protection, making privilege escalation a critical concern for maintaining system security and data integrity.

If exploited, this vulnerability allows a local attacker with limited privileges to escalate their privileges to a higher level, potentially SYSTEM or administrator level. This can lead to unauthorized access to sensitive data, modification or deletion of backups, disabling or tampering with security features, and persistence on the affected system. The compromise of backup and cybersecurity software like Acronis Cyber Protect can undermine an organization's entire security posture, as attackers could manipulate backup data or disable protection mechanisms. Although exploitation requires local access and is of high complexity, the impact on confidentiality and integrity is high, making it a serious risk for organizations relying on this software. The absence of availability impact means systems remain operational but potentially compromised. Organizations with many endpoints running this software are at risk of widespread privilege escalations if attackers gain initial local access.

1. Apply patches or updates from Acronis as soon as they become available to address this vulnerability. 2. Until patches are released, restrict write permissions on directories where Acronis Cyber Protect loads DLLs to prevent unauthorized DLL placement. 3. Implement application whitelisting and code integrity policies to prevent loading of unauthorized DLLs. 4. Limit local user privileges to the minimum necessary to reduce the attack surface. 5. Monitor systems for unusual DLL loading behavior or privilege escalation attempts using endpoint detection and response (EDR) tools. 6. Conduct regular audits of file system permissions and software configurations related to Acronis Cyber Protect. 7. Educate local users about the risks of executing untrusted code or scripts that could facilitate DLL hijacking. 8. Employ network segmentation to limit lateral movement if local compromise occurs. These steps collectively reduce the risk of exploitation before official patches are deployed.