CVE-2025-30413 Overview
CVE-2025-30413 is a credential management vulnerability affecting Acronis Cyber Protect products where credentials are not properly deleted from the Acronis Agent after plan revocation. This improper permission assignment flaw (CWE-732) allows local attackers with high privileges to potentially access sensitive credential information that should have been removed when protection plans are revoked.
Critical Impact
Sensitive credentials remain accessible on endpoints after protection plan revocation, potentially allowing privileged local users to harvest stored authentication data for unauthorized access to backup infrastructure.
Affected Products
- Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40497
- Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186
Discovery Timeline
- 2026-03-06 - CVE CVE-2025-30413 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2025-30413
Vulnerability Analysis
This vulnerability stems from improper credential lifecycle management within the Acronis Agent software. When a protection plan is revoked or removed from an endpoint, the associated credentials should be securely deleted from the local system. However, affected versions of Acronis Cyber Protect Cloud Agent and Acronis Cyber Protect 17 fail to properly clean up these credentials, leaving them accessible on the local file system.
The vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), indicating that the stored credentials may not have appropriate access controls even while they remain on the system after plan revocation.
Root Cause
The root cause lies in the credential cleanup logic within the Acronis Agent. When protection plans are revoked through the management console, the agent fails to execute the necessary credential removal procedures. This results in orphaned credential data persisting on endpoints beyond their intended lifecycle. The improper permission assignment aspect suggests these credentials may also be stored with insufficient access restrictions, compounding the risk.
Attack Vector
The vulnerability requires local access to the affected system and high privileges to exploit. An attacker with administrative access to an endpoint running a vulnerable Acronis Agent could:
- Identify endpoints where protection plans have been previously revoked
- Locate the residual credential storage locations used by the Acronis Agent
- Extract stored credentials that should have been deleted
- Use harvested credentials to potentially access Acronis backup infrastructure or pivot to other protected systems
This attack requires physical or remote administrative access to the vulnerable endpoint, limiting the attack surface to insider threats or post-compromise scenarios where an attacker has already gained elevated privileges.
Detection Methods for CVE-2025-30413
Indicators of Compromise
- Unexpected access to Acronis Agent credential storage directories by unauthorized processes
- Anomalous authentication attempts to Acronis management infrastructure using revoked credentials
- File system access patterns targeting Acronis configuration and credential files after plan revocation events
- Audit log entries showing credential file reads without corresponding active protection plans
Detection Strategies
- Monitor file system access to Acronis Agent installation directories, particularly after plan revocation events
- Implement endpoint detection rules to alert on processes reading Acronis credential files outside of normal backup operations
- Correlate Acronis management console events with endpoint file access logs to identify credential access after revocation
- Deploy SentinelOne Singularity to detect suspicious process behaviors targeting backup agent credential stores
Monitoring Recommendations
- Enable verbose logging on Acronis Agent installations to track credential management operations
- Configure SIEM rules to correlate protection plan revocation events with subsequent credential file access
- Implement file integrity monitoring on Acronis Agent configuration directories
- Review audit logs regularly for evidence of credential harvesting attempts on systems with revoked plans
How to Mitigate CVE-2025-30413
Immediate Actions Required
- Update Acronis Cyber Protect Cloud Agent to build 40497 or later immediately
- Update Acronis Cyber Protect 17 to build 41186 or later on all platforms (Linux, macOS, Windows)
- Audit all systems where protection plans have been previously revoked to identify potential credential exposure
- Rotate any credentials that may have been stored on systems with revoked plans prior to patching
Patch Information
Acronis has released security updates addressing this vulnerability. Refer to the official security advisories for detailed patch information:
Organizations should prioritize upgrading to the patched builds: Acronis Cyber Protect Cloud Agent build 40497 or later, and Acronis Cyber Protect 17 build 41186 or later.
Workarounds
- Manually verify and remove credential files from Acronis Agent directories after revoking protection plans on unpatched systems
- Restrict local administrative access to minimize the pool of users who could exploit residual credentials
- Implement additional access controls on Acronis Agent installation directories to limit credential file access
- Consider temporarily removing Acronis Agent software entirely from systems where protection plans are revoked until patching is complete
# Configuration example
# Verify Acronis Agent build version on Windows
reg query "HKLM\SOFTWARE\Acronis\BackupAndRecovery" /v BuildNumber
# Verify Acronis Agent build version on Linux
cat /usr/lib/Acronis/BackupAndRecovery/version.txt
# Restrict permissions on Acronis credential directories (Linux example)
chmod 700 /var/lib/Acronis/BackupAndRecovery/
chown root:root /var/lib/Acronis/BackupAndRecovery/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
