CVE-2026-28711 is a DLL hijacking vulnerability classified under CWE-427 affecting Acronis Cyber Protect 17 on Windows systems before build 41186. DLL hijacking occurs when an application loads a malicious DLL from an untrusted directory instead of the legitimate one, allowing an attacker to execute arbitrary code with elevated privileges. In this case, the vulnerability enables a local attacker with limited privileges to escalate their rights to a higher privilege level by placing a crafted DLL in a location where the vulnerable application loads it. The attack vector is local, requiring the attacker to have some access to the system but no user interaction is necessary once the malicious DLL is in place. The CVSS 3.0 score of 6.3 reflects medium severity, with high impact on confidentiality and integrity but no impact on availability. The attack complexity is high, meaning exploitation is not trivial, and the attacker must already have some level of access (low privileges). No public exploits or patches are currently available, indicating that organizations should monitor for updates and consider interim mitigations. This vulnerability could be leveraged to gain unauthorized access to sensitive data or modify system configurations, undermining the security posture of affected systems.

The primary impact of CVE-2026-28711 is local privilege escalation, which can allow attackers with limited access to gain higher privileges on the system. This can lead to unauthorized access to sensitive data, modification of security settings, and potential persistence on the affected host. While availability is not directly impacted, the compromise of confidentiality and integrity can have serious consequences, including data breaches and disruption of security controls. Organizations relying on Acronis Cyber Protect 17 for backup and cybersecurity management could see their systems compromised, undermining trust in their protection mechanisms. The medium severity rating reflects the need for attention but also the requirement for local access and high attack complexity, limiting the scope of immediate widespread exploitation. However, in environments where attackers can gain initial footholds, this vulnerability could be a critical step in escalating privileges and moving laterally within networks.

1. Monitor Acronis communications closely for official patches or updates addressing this vulnerability and apply them promptly once available. 2. Restrict local access to systems running Acronis Cyber Protect 17 to trusted users only, minimizing the risk of local attackers placing malicious DLLs. 3. Employ application whitelisting and integrity monitoring to detect unauthorized DLLs or changes in application directories. 4. Use Windows security features such as User Account Control (UAC) and least privilege principles to limit the ability of low-privilege users to write to directories where DLLs are loaded. 5. Conduct regular audits of system directories and environment variables related to DLL loading paths to identify suspicious files. 6. Consider deploying endpoint detection and response (EDR) solutions capable of detecting DLL hijacking behaviors. 7. Educate system administrators and users about the risks of local privilege escalation and the importance of maintaining strict access controls. These measures provide defense-in-depth until a patch is available.