CVE-2022-3405
published 2023-05-03CVE-2022-3405: Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber…
PriorityP356high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.33%
91.6th percentile
Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| acronis | acronis_cyber_backup_12.5 | >= unspecified < 16545 | 16545 |
| acronis | acronis_cyber_protect_15 | >= unspecified < 29486 | 29486 |
| acronis | cyber_backup | — | — |
| acronis | cyber_protect | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated/anonymous HTTP requests to the Acronis agent registration API endpoint, which should not be accessible without authentication in a hardened deployment. ↗
- →Alert on Bearer tokens obtained via the agent registration API being subsequently used against the management web console, as both share the same port — a token acquired anonymously should not appear in web console admin actions. ↗
- →Detect abuse of PreCommands in backup jobs or Validation jobs on the appliance agent as indicators of RCE exploitation — these are the specific web console features leveraged to execute arbitrary commands. ↗
- →Investigate unexpected new agent registrations on the Acronis appliance, especially from external or unknown IP addresses, as attackers register a fake agent to obtain a privileged bearer token. ↗
- ·The vulnerability is exploitable only in the default configuration of the Acronis appliance; hardening the agent registration endpoint to require authentication would mitigate anonymous exploitation. ↗
- ·Affected builds are Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545; patching to these builds or later remediates the issue. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.3CRITICALCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Metasploit
Acronis Cyber Protect/Backup machine info disclosure
metasploit
Acronis Cyber Protect/Backup machine info disclosure
Acronis Cyber Protect/Backup machine info disclosure
Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all, compute, storage and application resources. Businesses and Service Providers are using it to protect and backup all IT assets in their IT environment. This module exploits an authentication bypass vulnerability at the Acronis Cyber Protect appliance which, in its default configuration, allows the anonymous registration of new backup/protection agents on new endpoints. This API endpoint also generates bearer tokens which the agent then uses to authenticate to the appliance. As the management web console is running on the same port as the API for the agents, this bearer token is also valid for any actions on the web console. This allows an attacker with net
Metasploit
Acronis Cyber Protect/Backup remote code execution
metasploit
Acronis Cyber Protect/Backup remote code execution
Acronis Cyber Protect/Backup remote code execution
Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all, compute, storage and application resources. Businesses and Service Providers are using it to protect and backup all IT assets in their IT environment. The Acronis Cyber Protect appliance, in its default configuration, allows the anonymous registration of new protect/backup agents on new endpoints. This API endpoint also generates bearer tokens which the agent then uses to authenticate to the appliance. As the management web console is running on the same port as the API for the agents, this bearer token is also valid for any actions on the web console. This allows an attacker with network access to the appliance to start the registration of a new agent, ret
No writeups or analysis indexed.
2023-05-03
Published