CVE-2026-28717 is a local privilege escalation vulnerability identified in Acronis Cyber Protect 17 for Windows versions before build 41186. The root cause is improper directory permissions (classified under CWE-276: Incorrect Default Permissions), which allow a local user with limited privileges to manipulate files or directories in a way that escalates their privileges on the system. Specifically, the vulnerability arises because certain directories used by the software are not securely permissioned, enabling an attacker with local access to replace or modify files that the software executes or trusts, thereby gaining elevated privileges. The vulnerability requires local access and some user interaction, such as executing a crafted file or script. The CVSS 3.0 vector (AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N) indicates that the attack vector is local, attack complexity is low, privileges required are low, user interaction is required, scope is unchanged, confidentiality impact is none, integrity impact is high, and availability impact is none. This means the attacker cannot steal data or disrupt service but can modify system integrity by escalating privileges. No public exploits or active exploitation have been reported yet. The vulnerability affects all unspecified versions of Acronis Cyber Protect 17 on Windows prior to build 41186. Given the nature of the product as a cybersecurity and backup solution, exploitation could allow attackers to compromise backup integrity or gain control over protected systems. The vendor has not yet published a patch, so mitigation currently relies on restricting local access and hardening directory permissions manually.

The primary impact of CVE-2026-28717 is the potential for local attackers to escalate privileges on systems running vulnerable versions of Acronis Cyber Protect 17. This can lead to unauthorized modification of backup configurations, tampering with backup data, or gaining administrative control over the host system. Such control could be leveraged to disable security controls, install persistent malware, or interfere with incident response and recovery processes. Although confidentiality and availability are not directly impacted, the integrity of critical backup and cybersecurity infrastructure is at risk. Organizations relying on Acronis Cyber Protect 17 for data protection and cyber defense could face increased risk of insider threats or lateral movement by attackers who gain initial local access. This vulnerability is particularly concerning in environments with multiple users or where endpoint security is critical. The absence of known exploits reduces immediate risk, but the medium severity score and nature of the flaw warrant prompt attention to prevent future exploitation.

Until an official patch is released by Acronis, organizations should implement the following mitigations: 1) Restrict local user access to systems running Acronis Cyber Protect 17 to trusted personnel only, minimizing the risk of local exploitation. 2) Manually audit and tighten directory permissions associated with the Acronis Cyber Protect installation, ensuring that only authorized system accounts have write or modify access. 3) Employ application whitelisting and endpoint protection solutions to detect and block unauthorized attempts to modify Acronis directories or execute suspicious scripts. 4) Monitor system logs and Acronis application logs for unusual activity indicative of privilege escalation attempts. 5) Educate users about the risks of executing untrusted files or scripts on systems with Acronis Cyber Protect installed. 6) Plan for rapid deployment of the official patch once available, including testing in controlled environments to verify remediation. 7) Consider isolating critical backup servers from general user access and enforcing strict access control policies. These steps go beyond generic advice by focusing on permission hardening, access restriction, and proactive monitoring tailored to the vulnerability's characteristics.