CVE-2026-28713 is a vulnerability classified under CWE-1392 affecting Acronis Cyber Protect Cloud Agent (VMware) before build 36943 and Acronis Cyber Protect 17 (VMware) before build 41186. The core issue is the presence of default credentials configured for a local privileged user account within the virtual appliance environment. These default credentials can be exploited by an unauthenticated remote attacker with network access to the affected system, provided the attacker can induce user interaction, to gain elevated privileges. The vulnerability impacts confidentiality and integrity significantly, as an attacker could access sensitive backup data or manipulate backup configurations, potentially undermining data protection and recovery processes. The attack complexity is high, requiring user interaction, and no privileges are needed initially. The vulnerability does not heavily impact availability but could lead to limited denial of service or disruption. No public exploits have been reported yet, but the presence of default privileged credentials is a critical security oversight that could be leveraged in targeted attacks. The vulnerability affects virtualized environments running Acronis Cyber Protect Cloud Agent or Acronis Cyber Protect 17 on VMware, which are widely used for enterprise backup and disaster recovery solutions. The lack of available patches at the time of reporting necessitates immediate mitigation steps by administrators.

The vulnerability allows unauthorized remote attackers to leverage default privileged credentials to gain access to the Acronis virtual appliance environment. This can lead to unauthorized disclosure of sensitive backup data, manipulation or deletion of backup sets, and potential compromise of the backup infrastructure integrity. Organizations relying on Acronis Cyber Protect products for data protection and disaster recovery could face significant operational risks, including loss of data integrity and confidentiality. Although availability impact is limited, the compromise of backup systems can severely affect recovery capabilities after an incident. The high confidentiality and integrity impact combined with the widespread use of Acronis products in enterprise environments makes this a critical concern for organizations managing sensitive or regulated data. Attackers exploiting this vulnerability could establish persistent footholds within backup environments, complicating incident response and remediation efforts.

1. Immediately identify and change any default credentials on local privileged user accounts within the Acronis virtual appliance environment. 2. Restrict network access to management interfaces of the Acronis Cyber Protect Cloud Agent and related virtual appliances using network segmentation, firewalls, and VPNs to limit exposure. 3. Monitor network traffic and logs for unusual authentication attempts or access patterns targeting the Acronis virtual appliances. 4. Apply vendor patches or updates as soon as they become available to address this vulnerability. 5. Implement multi-factor authentication (MFA) where possible for administrative access to backup management consoles. 6. Conduct regular audits of user accounts and credentials within backup environments to detect and remediate insecure configurations. 7. Educate administrators and users about the risks of default credentials and enforce strong password policies. 8. Consider deploying intrusion detection/prevention systems (IDS/IPS) to detect exploitation attempts targeting this vulnerability. 9. Maintain up-to-date backups isolated from the network to ensure recovery capability in case of compromise.