CVE-2024-8767 Overview
CVE-2024-8767 is a privilege management flaw in Acronis Backup integrations for popular web hosting control panels on Linux. The vulnerability stems from unnecessary privileges assigned to components within the Acronis Backup plugin for cPanel & WHM, the Acronis Backup extension for Plesk, and the Acronis Backup plugin for DirectAdmin. An authenticated attacker can leverage these excess privileges to disclose and manipulate sensitive data on affected systems. The weakness is classified under [CWE-250: Execution with Unnecessary Privileges].
Critical Impact
Authenticated low-privilege users on shared hosting platforms can read and modify sensitive backup data across tenant boundaries, breaking confidentiality and integrity guarantees.
Affected Products
- Acronis Backup plugin for cPanel & WHM (Linux) before build 619
- Acronis Backup extension for Plesk (Linux) before build 555
- Acronis Backup plugin for DirectAdmin (Linux) before build 147
Discovery Timeline
- 2024-09-17 - CVE-2024-8767 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-8767
Vulnerability Analysis
The issue resides in how Acronis Backup integrations execute privileged operations within multi-tenant hosting control panels. The plugins run with privileges that exceed what their functional scope requires. This violates the principle of least privilege and creates a path for sensitive data disclosure and manipulation across tenant contexts. Because cPanel, Plesk, and DirectAdmin host many independent customer accounts on a single Linux server, any privilege boundary failure in an integrated backup component has cross-tenant impact. The vendor advisory tracks the fix under Acronis Security Advisory SEC-4976.
Root Cause
The root cause is [CWE-250: Execution with Unnecessary Privileges]. The affected plugin components perform operations under elevated rights that should have been scoped down or dropped before handling user-controlled data. An attacker with a foothold in the control panel can use this elevated context to act on backup files, configuration, or metadata that belong to other tenants or the host system.
Attack Vector
Exploitation requires network access to the control panel and low-level authenticated privileges, with no user interaction. The scope is changed, meaning the impact extends beyond the vulnerable component to other security authorities on the host. Successful exploitation yields high confidentiality, integrity, and availability impact on backup data and adjacent resources.
No verified public exploit code is available for CVE-2024-8767. Refer to the vendor advisory for technical details.
Detection Methods for CVE-2024-8767
Indicators of Compromise
- Unexpected access to backup archives, configuration files, or metadata belonging to other hosting accounts.
- Modifications to Acronis Backup plugin configuration or restore operations initiated by non-administrative control panel users.
- Process executions from Acronis Backup plugin paths running with elevated user or group IDs unrelated to the invoking tenant.
Detection Strategies
- Audit control panel logs in cPanel & WHM, Plesk, and DirectAdmin for backup-related actions performed by accounts that should not have such access.
- Monitor file integrity on backup directories and plugin binaries for changes not tied to vendor updates or scheduled jobs.
- Correlate authentication events with privileged plugin invocations to identify lateral movement patterns across tenants.
Monitoring Recommendations
- Enable verbose logging in the Acronis Backup plugin and ship logs to a central data lake for retention and search.
- Alert on setuid or sudo invocations originating from plugin processes outside expected maintenance windows.
- Track outbound network connections from the plugin to non-Acronis destinations as a signal of misuse.
How to Mitigate CVE-2024-8767
Immediate Actions Required
- Upgrade the Acronis Backup plugin for cPanel & WHM to build 619 or later on all affected Linux hosts.
- Upgrade the Acronis Backup extension for Plesk to build 555 or later.
- Upgrade the Acronis Backup plugin for DirectAdmin to build 147 or later.
- Review control panel user accounts and remove inactive or unnecessary low-privilege users that could be abused as a foothold.
Patch Information
Acronis has released fixed builds for each affected integration. Consult the Acronis Security Advisory SEC-4976 for the official build numbers, download locations, and upgrade procedures. Apply the vendor-supplied updates rather than attempting manual permission changes, since the fix adjusts how the plugin assigns and drops privileges at runtime.
Workarounds
- If immediate patching is not possible, restrict access to the control panel management interface to trusted administrative networks only.
- Disable the Acronis Backup plugin or extension on affected control panels until the fixed build can be installed.
- Enforce strong authentication and rate limiting on control panel logins to reduce the pool of accounts that can reach the vulnerable code path.
# Example: verify installed Acronis Backup plugin build on a Linux control panel host
# cPanel & WHM
cat /usr/local/cpanel/whostmgr/docroot/cgi/acronis/version.txt
# Plesk
plesk bin extension --info acronis-backup
# DirectAdmin
cat /usr/local/directadmin/plugins/acronis_backup/version.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
