CVE-2026-28720 is a vulnerability identified in Acronis Cyber Protect 17, a widely used backup and cybersecurity solution for Linux and Windows platforms. The root cause is insufficient authorization checks (CWE-863), which means that the software fails to properly verify whether a user has the necessary permissions before allowing modification of critical settings. This flaw enables an attacker with limited privileges (requiring some level of authentication) to alter security configurations without proper authorization, potentially weakening the system's defense mechanisms. The vulnerability has a CVSS 3.0 base score of 4.3 (medium severity), reflecting that it is remotely exploitable over the network (AV:N), requires low attack complexity (AC:L), and privileges (PR:L), but no user interaction (UI:N). The impact is limited to integrity, with no direct confidentiality or availability effects. No public exploits or active exploitation have been reported yet. The affected versions include all builds of Acronis Cyber Protect 17 prior to build 41186. Since Acronis Cyber Protect is used in enterprise environments for backup and cybersecurity, unauthorized changes to its settings could lead to misconfigurations, disabling of protections, or other security gaps. The vulnerability underscores the importance of robust authorization mechanisms in security-critical software.

The primary impact of CVE-2026-28720 is on the integrity of security settings within Acronis Cyber Protect 17. Unauthorized modification of these settings can lead to weakened backup policies, disabled protection features, or altered configurations that reduce the effectiveness of the security solution. This can indirectly increase the risk of data loss, ransomware infections, or other cyberattacks due to misconfigured defenses. Since the vulnerability requires some level of privileges, it is most concerning in environments where users have limited but non-administrative access, such as managed service providers or segmented enterprise networks. The lack of confidentiality or availability impact reduces the risk of direct data breaches or service outages. However, the potential for stealthy configuration changes makes detection difficult, increasing the risk of prolonged exposure. Organizations relying on Acronis Cyber Protect for critical data protection and cybersecurity may face increased risk of compromise if this vulnerability is exploited.

Organizations should immediately verify their Acronis Cyber Protect 17 build version and plan to upgrade to build 41186 or later once available. In the absence of a patch, restrict network access to the management interfaces of Acronis Cyber Protect to trusted administrators only, using network segmentation and firewall rules. Implement strict role-based access controls (RBAC) to limit user privileges and monitor for unauthorized configuration changes via audit logs. Employ multi-factor authentication (MFA) for all users with privileges to modify security settings. Regularly review and harden security policies within Acronis Cyber Protect to minimize the attack surface. Additionally, monitor system and application logs for unusual activity indicative of unauthorized modifications. Coordinate with Acronis support for any interim mitigation guidance or hotfixes. Finally, integrate this vulnerability into vulnerability management and incident response workflows to ensure timely detection and remediation.