CVE-2026-28728 is a vulnerability identified in Acronis True Image for Windows, specifically affecting versions prior to build 42902. The issue stems from a DLL hijacking flaw (CWE-427), where the application improperly loads dynamic link libraries from untrusted locations. This flaw allows a local attacker with low privileges to escalate their rights by tricking the application into loading a malicious DLL, thereby executing arbitrary code with elevated privileges. The attack requires the attacker to have local access and involves user interaction, such as running the vulnerable application or triggering a specific action. The vulnerability impacts confidentiality, integrity, and availability, as an attacker could gain control over the system, access sensitive backup data, or disrupt backup operations. The CVSS v3.0 score of 6.7 reflects the medium severity, considering the attack vector is local, attack complexity is high, privileges required are low, and user interaction is necessary. No public exploits have been reported yet, but the vulnerability poses a significant risk to organizations relying on Acronis True Image for backup and recovery on Windows platforms. The lack of an official patch at the time of reporting necessitates immediate mitigation efforts to reduce exposure.

The vulnerability allows local attackers to escalate privileges on affected Windows systems running Acronis True Image, potentially leading to full system compromise. This can result in unauthorized access to sensitive backup data, manipulation or deletion of backups, and disruption of critical backup and recovery processes. Organizations relying on Acronis True Image for data protection may face data loss, operational downtime, and increased risk of ransomware or other malware attacks leveraging elevated privileges. The impact extends to confidentiality, as attackers could access sensitive information; integrity, through unauthorized modification of backup data; and availability, by disabling or corrupting backup services. Although exploitation requires local access and user interaction, insider threats or attackers who gain initial footholds could leverage this vulnerability to deepen their control over systems. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in environments with lax local access controls.

Until an official patch is released, organizations should implement strict DLL loading policies, such as enabling Windows Defender Application Control (WDAC) or AppLocker to restrict execution of unauthorized DLLs. Conduct thorough audits of local user privileges and remove unnecessary administrative rights to limit potential exploitation. Educate users to avoid running untrusted applications or opening suspicious files that could trigger the vulnerability. Employ application whitelisting to ensure only verified binaries and DLLs are loaded by Acronis True Image. Monitor system logs for unusual DLL load attempts or privilege escalation activities. Isolate critical backup systems from general user environments to reduce local attack surface. Once a patch is available, prioritize timely deployment across all affected systems. Additionally, maintain regular backups of backup configurations and data to enable recovery in case of compromise.