CVE-2025-11790 Overview
CVE-2025-11790 is an Improper Permissions vulnerability affecting Acronis Cyber Protect Cloud Agent. The vulnerability occurs when credentials are not properly deleted from the Acronis Agent after a protection plan is revoked. This improper credential persistence allows privileged local users to potentially access sensitive authentication data that should have been removed, exposing the affected system to credential theft risks.
Critical Impact
Privileged local attackers can access persistent credentials that should have been deleted after plan revocation, potentially leading to unauthorized access to protected resources and sensitive data exposure.
Affected Products
- Acronis Cyber Protect Cloud Agent (Linux) before build 41124
- Acronis Cyber Protect Cloud Agent (macOS) before build 41124
- Acronis Cyber Protect Cloud Agent (Windows) before build 41124
Discovery Timeline
- 2026-03-06 - CVE CVE-2025-11790 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2025-11790
Vulnerability Analysis
This vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource). The core issue lies in improper credential lifecycle management within the Acronis Cyber Protect Cloud Agent. When a protection plan is revoked or removed, the agent fails to properly sanitize and delete the associated credentials from the local system.
The vulnerability requires local access to the affected system and high privileges to exploit. While the attack complexity is low, the requirement for elevated privileges limits the exposure to scenarios where an attacker has already gained administrative or root-level access to the target machine. The primary risk is confidentiality exposure, as an attacker could retrieve authentication credentials that persist beyond their intended lifecycle.
Root Cause
The root cause of CVE-2025-11790 is improper credential cleanup procedures in the Acronis Agent's plan revocation workflow. When protection plans are revoked, the agent's credential storage mechanism does not properly purge the associated authentication data. This represents a failure in implementing secure credential lifecycle management, where sensitive data persists in storage longer than necessary, violating the principle of data minimization and secure disposal.
Attack Vector
The attack vector for this vulnerability is local, meaning an attacker must have direct access to the affected system. The exploitation scenario involves:
- An attacker gains high-privileged access to a system running a vulnerable version of Acronis Cyber Protect Cloud Agent
- A protection plan has been previously configured and subsequently revoked
- The attacker locates the persistent credential storage used by the Acronis Agent
- The attacker extracts credentials that should have been deleted upon plan revocation
- These credentials could potentially be used to access other protected resources or systems
The vulnerability does not require user interaction and has no impact on system availability or integrity, focusing exclusively on confidentiality compromise through improper data retention.
Detection Methods for CVE-2025-11790
Indicators of Compromise
- Unexpected access to Acronis Agent credential storage files by non-service accounts
- Enumeration attempts targeting Acronis configuration directories
- Unusual read operations on credential files after plan revocation events
- Evidence of credential extraction tools being used on Acronis-related paths
Detection Strategies
- Monitor file access events on Acronis Agent credential storage locations across all supported platforms (Linux, macOS, Windows)
- Implement audit logging for administrative access to systems running Acronis Cyber Protect Cloud Agent
- Deploy endpoint detection rules that flag post-revocation credential access attempts
- Use file integrity monitoring to detect unexpected reads of sensitive Acronis configuration files
Monitoring Recommendations
- Enable enhanced logging for Acronis Agent operations, particularly plan management events
- Configure SIEM alerts for credential-related file access following protection plan changes
- Implement privileged access monitoring on systems with Acronis Cyber Protect Cloud Agent installed
- Regularly audit systems for residual credential data after plan revocations
How to Mitigate CVE-2025-11790
Immediate Actions Required
- Update Acronis Cyber Protect Cloud Agent to build 41124 or later on all affected platforms
- Audit existing systems for any protection plans that were revoked prior to patching
- Manually verify and remove any residual credentials from previously revoked plans
- Review access logs for any suspicious activity targeting Acronis Agent credential storage
Patch Information
Acronis has addressed this vulnerability in Acronis Cyber Protect Cloud Agent build 41124. Organizations should apply this update across all affected platforms (Linux, macOS, and Windows). For detailed patch information and download links, refer to the Acronis Security Advisory SEC-8658 and Acronis Security Advisory SEC-9386.
Workarounds
- Restrict administrative access to systems running vulnerable Acronis Agent versions to reduce the attack surface
- Implement additional access controls on Acronis Agent configuration and credential directories
- Consider temporarily uninstalling the Acronis Agent from sensitive systems until patching is complete
- Deploy enhanced endpoint monitoring to detect credential access attempts on affected systems
# Verify Acronis Agent version on Linux/macOS
acronis_agent --version
# Ensure build number is 41124 or higher
# Check for residual credential files after plan revocation
# Review and secure Acronis configuration directories
ls -la /var/lib/Acronis/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
