cbcvebase.
CVE-2022-3405
published 2023-05-03

CVE-2022-3405: Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber…

PriorityP356high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.33%
91.6th percentile
Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.

Affected

4 ranges
VendorProductVersion rangeFixed in
acronisacronis_cyber_backup_12.5>= unspecified < 1654516545
acronisacronis_cyber_protect_15>= unspecified < 2948629486
acroniscyber_backup
acroniscyber_protect

Detection & IOCsextracted from sources · hover to see the quote

url/api/ams/agents
otherBearer token (unauthenticated/anonymous agent registration endpoint)
  • Monitor for unauthenticated/anonymous HTTP requests to the Acronis agent registration API endpoint, which should not be accessible without authentication in a hardened deployment.
  • Alert on Bearer tokens obtained via the agent registration API being subsequently used against the management web console, as both share the same port — a token acquired anonymously should not appear in web console admin actions.
  • Detect abuse of PreCommands in backup jobs or Validation jobs on the appliance agent as indicators of RCE exploitation — these are the specific web console features leveraged to execute arbitrary commands.
  • Investigate unexpected new agent registrations on the Acronis appliance, especially from external or unknown IP addresses, as attackers register a fake agent to obtain a privileged bearer token.
  • ·The vulnerability is exploitable only in the default configuration of the Acronis appliance; hardening the agent registration endpoint to require authentication would mitigate anonymous exploitation.
  • ·Affected builds are Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545; patching to these builds or later remediates the issue.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.3CRITICALCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.