CVE-2026-28712 is a local privilege escalation vulnerability classified under CWE-427 (Uncontrolled Search Path Element) affecting Acronis Cyber Protect 17 on Windows systems before build 41186. The vulnerability stems from DLL hijacking, where the software improperly loads dynamic link libraries from untrusted or user-controllable locations. An attacker with local access and limited privileges can exploit this flaw by placing a malicious DLL in a location that the application searches before the legitimate DLL, causing the malicious code to execute with higher privileges. The CVSS 3.0 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) indicates that the attack requires local access, high attack complexity, and low privileges, with no user interaction needed. Successful exploitation can compromise confidentiality and integrity by allowing unauthorized access or modification of sensitive data and system configurations, though it does not affect availability. No public exploits are known at this time, but the vulnerability poses a significant risk due to the elevated privileges gained upon exploitation. The lack of an official patch link suggests that remediation may require updates from Acronis or temporary mitigations.

The impact of this vulnerability is primarily local privilege escalation, enabling attackers with limited access to gain higher privileges on affected systems. This can lead to unauthorized access to sensitive backup data, manipulation or deletion of backups, and potential disruption of backup and recovery operations. In enterprise environments relying on Acronis Cyber Protect 17 for critical data protection, such an escalation could undermine the integrity and confidentiality of backup data and compromise overall security posture. Attackers could leverage this to move laterally within networks, escalate privileges further, or disable security controls. Although availability is not directly impacted, the indirect effects on backup integrity and security could have severe operational consequences. Organizations with large deployments of Acronis Cyber Protect 17, especially those in regulated industries or handling sensitive data, face increased risk.

To mitigate this vulnerability, organizations should: 1) Apply the latest patches or updates from Acronis as soon as they become available to address the DLL hijacking issue. 2) Until patches are released, restrict local user permissions to the minimum necessary to reduce the risk of local exploitation. 3) Implement application whitelisting and restrict write permissions on directories where Acronis Cyber Protect 17 loads DLLs to prevent unauthorized DLL placement. 4) Monitor file system changes in the application directories and audit for suspicious DLL files. 5) Employ endpoint detection and response (EDR) solutions to detect anomalous DLL loading behaviors. 6) Educate system administrators about the risk of DLL hijacking and enforce strict control over software installation and updates. 7) Consider isolating backup servers and limiting local access to trusted personnel only. These steps go beyond generic advice by focusing on controlling the DLL search path and local privilege boundaries specific to this vulnerability.