cbcvebase.
CVE-2023-45249
published 2024-07-24

CVE-2023-45249: Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-08-19
Exploited in the wild
EPSS
53.53%
98.9th percentile
Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.

Affected

10 ranges
VendorProductVersion rangeFixed in
acronisacronis_cyber_infrastructure>= unspecified < 5.0.1-615.0.1-61
acronisacronis_cyber_infrastructure>= unspecified < 5.1.1-715.1.1-71
acronisacronis_cyber_infrastructure>= unspecified < 5.2.1-695.2.1-69
acronisacronis_cyber_infrastructure>= unspecified < 5.3.1-535.3.1-53
acronisacronis_cyber_infrastructure>= unspecified < 5.4.4-1325.4.4-132
acroniscyber_infrastructure< 5.0.1-615.0.1-61
acroniscyber_infrastructure>= 5.1.1 < 5.1.1-715.1.1-71
acroniscyber_infrastructure>= 5.2.1 < 5.2.1-695.2.1-69
acroniscyber_infrastructure>= 5.3.1 < 5.3.1-535.3.1-53
acroniscyber_infrastructure>= 5.4.4 < 5.4.4-1325.4.4-132

Detection & IOCsextracted from sources · hover to see the quote

port6432
otherusername: vstoradmin / password: vstoradmin
commandSELECT release_notes_url FROM software_info
urlhttp://download.acronis.com/vstorage/
  • Detect exploitation attempts by monitoring for PostgreSQL connections on port 6432 using the default credential pair vstoradmin/vstoradmin targeting the 'vstoradmin' database.
  • Alert on the specific PostgreSQL query 'SELECT release_notes_url FROM software_info' issued against port 6432, which is the fingerprinting query used by the exploit to confirm a vulnerable ACI instance.
  • Monitor for unexpected SSH key uploads to the ACI appliance following PostgreSQL authentication, as the exploit chain uses DB access to gain admin portal access and then uploads SSH keys for root access.
  • Flag any external/WAN-facing exposure of PostgreSQL (port 6432) and SSH services on Acronis Cyber Infrastructure hosts, as the attack is fully remote when these services are internet-accessible.
  • Use the Censys search query to identify exposed vulnerable ACI instances: services.http.response.html_title:"Acronis Cyber Infrastructure" and services.port:6432
  • ·The exploit only succeeds if the ACI instance has never had its default PostgreSQL credentials changed. Instances where vstoradmin credentials were rotated post-deployment are not vulnerable via this vector.
  • ·The Nuclei template pre-condition checks that port 6432 is open before attempting exploitation; scanners or WAFs blocking this port will prevent the automated exploit but not necessarily manual exploitation.
  • ·Affected builds span multiple ACI major versions (5.0, 5.1, 5.2, 5.3, 5.4); patched builds are 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132 respectively. Build number can be verified via Help -> About in the ACI main window.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.