CVE-2026-28721 is a local privilege escalation vulnerability identified in Acronis Cyber Protect 17 for Windows versions before build 41186. The root cause is improper handling of symbolic links (soft links), categorized under CWE-610, which involves insecure interactions with symbolic links that can be exploited to escalate privileges. An attacker with local access and limited privileges can leverage this vulnerability by tricking the software into following or manipulating symbolic links in an unsafe manner, thereby gaining elevated privileges on the system. This can lead to full compromise of system confidentiality, integrity, and availability. The vulnerability requires user interaction and local access, which limits remote exploitation but still poses a significant risk in environments where multiple users have access or where attackers can gain initial footholds with limited privileges. The CVSS v3.0 score is 7.3 (High), reflecting low attack complexity but requiring privileges and user interaction, with high impact on confidentiality, integrity, and availability. No public exploits are currently known, but the vulnerability is published and should be addressed promptly. The affected product is widely used in enterprise backup and cyber protection scenarios, making this a critical issue for organizations relying on Acronis Cyber Protect 17 for data protection and system security.

If exploited, this vulnerability allows an attacker with local access to escalate their privileges to higher levels, potentially SYSTEM or administrator level. This could enable the attacker to execute arbitrary code with elevated rights, disable security controls, access or modify sensitive data, and disrupt backup and recovery operations. The compromise of backup software is particularly severe because it can undermine an organization's ability to recover from ransomware or other attacks, increasing the risk of data loss and operational downtime. The requirement for local access and user interaction limits the attack surface but does not eliminate risk in environments with multiple users or where attackers can gain initial access with limited privileges. The high impact on confidentiality, integrity, and availability makes this vulnerability a significant threat to enterprise environments, especially those relying heavily on Acronis Cyber Protect 17 for critical data protection.

Organizations should immediately plan to upgrade Acronis Cyber Protect 17 to build 41186 or later once patches are released by the vendor. Until a patch is available, implement strict local user privilege management to minimize the number of users with local access and restrict the ability to create or manipulate symbolic links. Employ application whitelisting and endpoint protection solutions to detect and block suspicious activities related to symbolic link manipulation. Conduct regular audits of local user accounts and permissions to ensure least privilege principles are enforced. Additionally, monitor system logs for unusual symbolic link operations or privilege escalation attempts. Segregate backup servers and management consoles from general user workstations to reduce exposure. Educate users about the risks of interacting with untrusted files or links that could trigger exploitation. Finally, maintain robust backup and recovery procedures independent of the vulnerable software to ensure resilience against potential compromise.