CVE-2026-28727 is a local privilege escalation vulnerability identified in Acronis Cyber Protect 17, Acronis Cyber Protect Cloud Agent, and Acronis True Image products running on macOS platforms. The root cause is insecure permissions set on Unix domain sockets used by these applications, classified under CWE-276 (Incorrect Default Permissions). Unix sockets are IPC mechanisms that, if improperly permissioned, can allow unauthorized local users to interact with privileged processes. In this case, an attacker with limited local privileges can exploit the insecure socket permissions to gain elevated privileges, potentially full administrative rights on the system. The vulnerability does not require user interaction and has a low attack complexity, but it does require local access, meaning the attacker must already have some foothold on the system. The CVSS v3.0 score is 7.8, reflecting high impact on confidentiality, integrity, and availability, as the attacker can fully compromise the system. Affected versions are all builds before 41186 for Cyber Protect 17, before 41124 for Cyber Protect Cloud Agent, and before 42902 for True Image on macOS. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. This vulnerability is particularly critical in multi-user environments or where attackers can gain limited local access, as it allows privilege escalation to administrative levels.

The impact of CVE-2026-28727 is significant for organizations using affected Acronis products on macOS. Successful exploitation allows an attacker with local access to escalate privileges to administrative or root level, compromising system confidentiality, integrity, and availability. This can lead to unauthorized access to sensitive backup data, manipulation or deletion of backups, and disruption of backup and recovery operations. In environments where macOS systems are shared or where attackers can gain initial limited access (e.g., through phishing, malware, or insider threats), this vulnerability can be leveraged to take full control of the system, potentially spreading laterally or persisting undetected. The lack of required user interaction and low complexity of exploitation increase the risk. This can undermine organizational resilience, data protection strategies, and compliance with data security regulations.

Organizations should immediately inventory affected Acronis products on macOS and prioritize patching as soon as vendor updates are released. Until patches are available, implement strict local access controls to limit user permissions and restrict access to systems running these products. Use macOS security features such as System Integrity Protection (SIP) and mandatory access controls to reduce the risk of unauthorized socket access. Monitor system logs and audit Unix socket permissions regularly for anomalies. Employ endpoint detection and response (EDR) tools to detect suspicious local privilege escalation attempts. Additionally, restrict installation of untrusted software and enforce strong authentication to reduce the likelihood of initial local compromise. Coordinate with Acronis support for guidance and apply any recommended interim mitigations or configuration changes to harden socket permissions manually if feasible.