CVE-2026-28712 is a local privilege escalation vulnerability identified in Acronis Cyber Protect 17 for Windows versions before build 41186. The root cause is a DLL hijacking weakness classified under CWE-427, where the software improperly loads DLLs from untrusted or user-controllable locations. An attacker with limited local privileges can exploit this flaw by placing a malicious DLL in a location where the application loads it instead of the legitimate one. This allows the attacker to execute arbitrary code with elevated privileges, potentially gaining administrative control over the system. The vulnerability has a CVSS 3.0 base score of 6.3, with the vector indicating local attack vector (AV:L), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H), but no impact on availability (A:N). No public exploits are currently known, and no patches are linked yet, suggesting that mitigation relies on vendor updates and best practices. The vulnerability affects Acronis Cyber Protect 17, a widely used backup and cybersecurity solution in enterprise environments, making it a significant concern for organizations relying on this product for data protection and endpoint security.

The vulnerability allows an attacker with local access and limited privileges to escalate their privileges to a higher level, potentially administrative. This can lead to unauthorized access to sensitive data, modification or deletion of critical files, and the ability to disable or tamper with security controls. The confidentiality and integrity of affected systems are at high risk, although availability is not impacted. Organizations using Acronis Cyber Protect 17 in multi-user environments, such as corporate networks, managed service providers, or shared workstations, are particularly vulnerable. Exploitation could facilitate lateral movement within networks, data exfiltration, or persistence by threat actors. While remote exploitation is not possible, insider threats or attackers who have gained initial foothold on a system could leverage this vulnerability to deepen their control. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially once exploit code becomes available.

Organizations should monitor Acronis communications for official patches addressing this vulnerability and apply them promptly once released. Until patches are available, implement strict DLL loading policies using Windows features such as AppLocker or Software Restriction Policies to restrict DLL loading paths to trusted directories only. Employ application whitelisting to prevent unauthorized DLLs from executing. Limit local user privileges to the minimum necessary to reduce the attack surface. Conduct regular audits of installed software and DLLs to detect anomalies. Use endpoint detection and response (EDR) tools to monitor for suspicious DLL loading behavior. Educate users about the risks of local privilege escalation and enforce strong access controls on shared systems. Consider isolating critical systems running Acronis Cyber Protect 17 to reduce exposure. Finally, maintain comprehensive backups and incident response plans to recover quickly if exploitation occurs.