CVE-2026-28722 is a local privilege escalation vulnerability identified in Acronis Cyber Protect 17 for Windows, specifically in versions prior to build 41186. The root cause is improper handling of symbolic links (soft links), categorized under CWE-610, which involves insecure interactions with symbolic links that can be manipulated by an attacker. This flaw allows an attacker with limited local privileges and requiring user interaction to exploit the vulnerability and escalate their privileges to a higher level, potentially administrative. The CVSS v3.0 score is 7.3 (high), reflecting the significant impact on confidentiality, integrity, and availability if exploited. The attack vector is local, with low attack complexity and low privileges required, but user interaction is necessary. No public exploits have been reported yet, and no patches are currently linked, indicating that remediation may still be pending or in progress. The vulnerability affects a widely used cybersecurity and backup product, which is often deployed in enterprise environments to protect critical data and systems. Improper symbolic link handling can allow attackers to redirect file operations to arbitrary locations, enabling unauthorized file modifications or execution of malicious code with elevated privileges. This can lead to full system compromise, data breaches, or disruption of backup and recovery operations.

The potential impact of CVE-2026-28722 is significant for organizations using Acronis Cyber Protect 17. Exploitation can lead to full local system compromise by escalating privileges from a limited user to an administrator or system level. This threatens the confidentiality of sensitive data, the integrity of backup and security configurations, and the availability of critical backup and recovery services. Attackers could manipulate backup processes, disable security features, or install persistent malware. Since the product is used globally in enterprise and managed service provider environments, the vulnerability could facilitate lateral movement within networks if attackers gain initial footholds. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, especially in environments with many users or where attackers have already compromised lower-privileged accounts. The absence of known exploits in the wild suggests limited current active exploitation, but the high severity score and nature of the flaw make it a priority for remediation to prevent future attacks.

Organizations should immediately inventory their deployments of Acronis Cyber Protect 17 and verify the build versions to identify vulnerable instances. Until an official patch is released, implement strict local access controls and limit user permissions to reduce the risk of exploitation. Employ application whitelisting and endpoint protection solutions to detect and block suspicious symbolic link manipulations. Educate users about the risks of interacting with untrusted files or prompts that could trigger exploitation. Monitor system logs for unusual file system activity related to symbolic links. Once a patch or update is available from Acronis, apply it promptly following testing in controlled environments. Additionally, consider isolating backup servers and management consoles from general user access to minimize exposure. Regularly review and harden system configurations to prevent unauthorized local access and reduce the attack surface.