CVE-2026-28722 is a local privilege escalation vulnerability identified in Acronis Cyber Protect 17 for Windows versions prior to build 41186. The root cause is improper handling of symbolic links (soft links), which falls under CWE-610 (Improper Restriction of Symbolic Links in a File System). This vulnerability allows an attacker with limited privileges on the affected system to exploit the way the software processes symbolic links, potentially redirecting operations to unintended files or directories. By doing so, the attacker can escalate their privileges to a higher level, gaining unauthorized access to sensitive system functions or data. The vulnerability requires local access and user interaction, meaning the attacker must already have some level of access and perform an action to trigger the exploit. The CVSS v3.0 base score of 7.3 reflects a high severity, with metrics indicating low attack complexity, low privileges required, and user interaction needed. The impact covers confidentiality, integrity, and availability, all rated high, meaning the attacker could potentially read, modify, or disrupt critical system components. No patches or exploits are currently publicly available, but the risk remains significant due to the nature of the vulnerability and the critical role of Acronis Cyber Protect in enterprise backup and cybersecurity operations.

The vulnerability allows attackers with limited local access to escalate privileges, potentially gaining administrative control over affected systems. This can lead to unauthorized access to sensitive backup data, manipulation or deletion of backups, and disruption of cybersecurity protections provided by Acronis Cyber Protect 17. Such control could enable attackers to bypass security controls, install persistent malware, or disrupt business continuity by compromising backup integrity and availability. Organizations relying on this software for data protection and recovery could face significant operational and reputational damage if exploited. The impact is particularly severe in environments where Acronis Cyber Protect is deployed on critical servers or endpoints, including enterprise, government, and industrial systems. Although no known exploits are currently in the wild, the vulnerability's characteristics make it a viable target for attackers seeking local privilege escalation vectors.

1. Apply official patches or updates from Acronis as soon as they become available to address the symbolic link handling flaw. 2. Until patches are released, restrict local user permissions to the minimum necessary, preventing untrusted users from accessing or modifying files related to Acronis Cyber Protect. 3. Implement strict file system permissions and monitor for suspicious symbolic link creation or modification activities in directories used by the software. 4. Use application whitelisting and endpoint detection and response (EDR) tools to detect and block unauthorized privilege escalation attempts. 5. Educate users about the risks of executing untrusted files or scripts that could trigger the vulnerability. 6. Regularly audit and review system logs for anomalies related to file system operations and privilege escalations. 7. Consider isolating critical backup servers and limiting local access to trusted administrators only. These measures, combined with timely patching, will reduce the risk of exploitation.