CVE-2026-28712 Overview
CVE-2026-28712 is a local privilege escalation vulnerability affecting Acronis Cyber Protect 17 on Windows systems. The vulnerability stems from a DLL hijacking weakness (CWE-427) that allows a local attacker with low privileges to escalate their privileges on the affected system. By exploiting this flaw, an attacker can place a malicious DLL in a location where the vulnerable application searches for legitimate libraries, resulting in the execution of arbitrary code with elevated privileges.
Critical Impact
Local attackers can exploit this DLL hijacking vulnerability to achieve privilege escalation on Windows systems running Acronis Cyber Protect 17 before build 41186, potentially compromising confidentiality and integrity of the affected system.
Affected Products
- Acronis Cyber Protect 17 (Windows) before build 41186
- Microsoft Windows (as the underlying operating system)
Discovery Timeline
- 2026-03-06 - CVE-2026-28712 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-28712
Vulnerability Analysis
This DLL hijacking vulnerability exists in Acronis Cyber Protect 17 on Windows platforms due to improper handling of DLL search order. When the application loads dynamic link libraries, it searches for them in directories that may be writable by lower-privileged users. An attacker with local access can exploit this behavior by placing a malicious DLL with a specific filename in a directory that is searched before the legitimate library location.
The vulnerability requires local access and carries high complexity for exploitation, meaning successful attacks depend on conditions outside the attacker's control, such as timing or specific system configurations. However, when successfully exploited, the impact on confidentiality and integrity is high, while availability is not affected.
Root Cause
The root cause of this vulnerability is classified as CWE-427: Uncontrolled Search Path Element. This weakness occurs when an application uses a search path to locate critical resources like DLLs but includes directories that could be under attacker control. In Windows environments, this commonly manifests when applications search for DLLs in the current working directory, user-writable folders, or other insecure locations before checking system directories.
Acronis Cyber Protect 17 fails to properly validate or restrict the search path used when loading DLLs, allowing attackers to inject malicious libraries into the load sequence.
Attack Vector
The attack requires local access to the target system and involves the following general approach:
- The attacker identifies a DLL that Acronis Cyber Protect 17 attempts to load from an insecure location
- The attacker creates a malicious DLL with the same filename containing arbitrary code
- The malicious DLL is placed in a directory that the application searches before the legitimate DLL location
- When Acronis Cyber Protect executes and attempts to load the DLL, it loads the malicious version instead
- The malicious code executes with the privileges of the Acronis Cyber Protect process, typically elevated system privileges
The local attack vector combined with high attack complexity means the vulnerability requires specific conditions to be exploited successfully, but the potential impact on system confidentiality and integrity makes remediation important.
Detection Methods for CVE-2026-28712
Indicators of Compromise
- Unexpected DLL files appearing in Acronis Cyber Protect installation directories or user-writable paths
- Unusual DLL loading events from non-standard directories in Windows Event logs
- Process execution anomalies associated with Acronis Cyber Protect services
- Signs of privilege escalation activity on systems running vulnerable versions
Detection Strategies
- Monitor for DLL loading events using Windows Sysmon (Event ID 7) to detect DLLs loaded from unexpected paths
- Implement application whitelisting solutions to prevent unauthorized DLL execution
- Use endpoint detection and response (EDR) solutions like SentinelOne to detect anomalous behavior patterns
- Audit file system changes in directories commonly targeted for DLL hijacking attacks
Monitoring Recommendations
- Enable detailed logging for Acronis Cyber Protect service activities and DLL loading operations
- Configure file integrity monitoring on critical application directories
- Review Windows Security Event logs for privilege escalation indicators
- Deploy behavioral detection rules to identify DLL sideloading attack patterns
How to Mitigate CVE-2026-28712
Immediate Actions Required
- Update Acronis Cyber Protect 17 (Windows) to build 41186 or later immediately
- Review systems for indicators of compromise before and after patching
- Restrict write access to directories in the DLL search path where possible
- Implement application control policies to limit DLL execution to trusted sources
Patch Information
Acronis has released a security update addressing this vulnerability. Users should update Acronis Cyber Protect 17 on Windows to build 41186 or later. For complete details and download links, refer to the Acronis Security Advisory SEC-2332.
Workarounds
- Restrict user write permissions on directories included in the application's DLL search path
- Implement Windows Defender Application Control (WDAC) or AppLocker policies to prevent unauthorized DLL loading
- Use SentinelOne's behavioral AI to detect and block DLL hijacking attempts in real-time
- Consider running Acronis Cyber Protect services with minimal required privileges until patching is complete
# Example: Restrict permissions on a directory to prevent DLL planting
# Run in an elevated PowerShell session
# Remove write access for standard users on the application directory
icacls "C:\Program Files\Acronis\CyberProtect" /inheritance:d
icacls "C:\Program Files\Acronis\CyberProtect" /remove:g "Users"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
