CVE-2026-28717 is a medium-severity local privilege escalation vulnerability identified in Acronis Cyber Protect 17 (Windows) versions prior to build 41186. The root cause is improper directory permissions (CWE-276), which means that certain directories used by the software are configured with overly permissive access controls. This misconfiguration can allow a local attacker with limited privileges to modify or replace files within these directories, potentially injecting malicious code or altering the software’s behavior to escalate their privileges on the system. The vulnerability requires local access and some user interaction, such as executing a crafted file or script. The CVSS v3.0 base score is 5.0, reflecting a medium severity level, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), user interaction (UI:R), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). No public exploits or active exploitation have been reported to date. The vulnerability affects all unspecified versions of Acronis Cyber Protect 17 before build 41186 on Windows platforms. Since Acronis Cyber Protect is widely used for backup and cybersecurity protection in enterprise environments, this vulnerability could be leveraged by malicious insiders or attackers who gain initial local access to escalate privileges and compromise system integrity.

The primary impact of CVE-2026-28717 is on the integrity of affected systems. An attacker exploiting this vulnerability can elevate their privileges from a limited user to a higher-privileged account, potentially SYSTEM or administrator level. This escalation can enable them to modify security settings, disable protections, install persistent malware, or access sensitive data indirectly by altering system behavior. Although confidentiality and availability are not directly impacted, the integrity compromise can lead to broader security breaches, lateral movement, and persistence within enterprise environments. Organizations relying on Acronis Cyber Protect 17 for backup and cybersecurity may face increased risk of insider threats or post-compromise escalation. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk in environments where attackers can gain initial footholds via phishing, social engineering, or physical access. The absence of known exploits in the wild reduces immediate threat but underscores the importance of proactive mitigation.

1. Apply patches or updates from Acronis as soon as they are released for build 41186 or later to fix the directory permission issues. 2. In the absence of an official patch, manually audit and tighten directory permissions related to Acronis Cyber Protect 17 installation and operational folders to ensure only authorized system accounts have write access. 3. Restrict local user privileges and enforce the principle of least privilege to minimize the ability of low-privileged users to exploit local vulnerabilities. 4. Implement application whitelisting and endpoint detection to monitor for unauthorized file modifications or suspicious activities within Acronis directories. 5. Educate users about the risks of executing untrusted files or scripts that could trigger user interaction-based exploits. 6. Monitor system and security logs for unusual privilege escalation attempts or changes in Acronis-related files. 7. Consider isolating critical backup and cybersecurity infrastructure to limit local access to trusted administrators only. 8. Regularly review and update security policies to address local privilege escalation risks and incorporate vulnerability management best practices.