CVE-2026-28713 Overview
CVE-2026-28713 is a hardcoded credentials vulnerability affecting Acronis Cyber Protect Cloud Agent and Acronis Cyber Protect 17 virtual appliances running on VMware. The vulnerability stems from default credentials being set for a local privileged user account in the virtual appliance, potentially allowing unauthorized access to systems with elevated privileges.
Critical Impact
Attackers who can reach the affected virtual appliance may leverage default credentials to gain privileged access, potentially compromising backup infrastructure and sensitive data protected by Acronis solutions.
Affected Products
- Acronis Cyber Protect Cloud Agent (VMware) before build 36943
- Acronis Cyber Protect 17 (VMware) before build 41186
Discovery Timeline
- 2026-03-06 - CVE-2026-28713 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-28713
Vulnerability Analysis
This vulnerability falls under CWE-1392 (Use of Default Credentials), representing a fundamental security configuration flaw in the Acronis virtual appliance deployment. The presence of default credentials for a privileged user account creates a significant security risk, particularly in environments where the virtual appliance is accessible over the network.
Default credential vulnerabilities are especially dangerous in backup and data protection solutions like Acronis Cyber Protect, as these systems typically have access to sensitive organizational data and may have elevated permissions across the infrastructure they protect. An attacker who successfully authenticates using these default credentials would inherit the privileges of the local user account, potentially enabling further lateral movement or data exfiltration.
Root Cause
The root cause of this vulnerability is the inclusion of pre-configured default credentials for a local privileged user account within the Acronis virtual appliance image. This configuration practice, while potentially intended for ease of initial deployment, violates security best practices by shipping production systems with known authentication secrets.
Attack Vector
The attack vector for CVE-2026-28713 requires network access to the vulnerable virtual appliance. While the attack complexity is considered high and requires some user interaction, an attacker who can reach the appliance over the network may attempt authentication using the default credentials. Successful exploitation could lead to high impact on both confidentiality and integrity, with limited impact on availability.
The exploitation scenario involves identifying a vulnerable Acronis virtual appliance on the network, then attempting to authenticate using the known default credentials. Organizations that have not changed these credentials during initial deployment are at risk.
Detection Methods for CVE-2026-28713
Indicators of Compromise
- Unexpected or unauthorized login attempts to Acronis virtual appliance management interfaces
- Authentication events using default or known service accounts
- Unusual administrative activity on backup infrastructure outside of normal maintenance windows
- Network connections to Acronis appliances from unexpected source IP addresses
Detection Strategies
- Monitor authentication logs on Acronis virtual appliances for successful logins that don't correspond to authorized personnel
- Implement alerting for any use of default service account credentials if still present in the environment
- Deploy network monitoring to detect scanning activity targeting Acronis management ports
- Conduct regular credential audits to identify systems still using default authentication
Monitoring Recommendations
- Enable comprehensive logging on all Acronis Cyber Protect virtual appliances
- Configure SIEM rules to alert on authentication anomalies related to backup infrastructure
- Implement baseline monitoring for normal administrative access patterns
- Review audit logs for privileged account activity regularly
How to Mitigate CVE-2026-28713
Immediate Actions Required
- Immediately change all default credentials on Acronis Cyber Protect virtual appliances
- Verify network segmentation to limit access to backup infrastructure management interfaces
- Audit all Acronis virtual appliance deployments to identify vulnerable builds
- Update to Acronis Cyber Protect Cloud Agent build 36943 or later, and Acronis Cyber Protect 17 build 41186 or later
Patch Information
Acronis has released updated builds that address this vulnerability. Organizations should update to the following minimum versions:
- Acronis Cyber Protect Cloud Agent (VMware): Build 36943 or later
- Acronis Cyber Protect 17 (VMware): Build 41186 or later
For detailed patch information and download links, refer to the Acronis Security Advisory SEC-4168.
Workarounds
- Change default credentials immediately on all affected appliances as an interim measure
- Restrict network access to Acronis virtual appliance management interfaces using firewall rules or network segmentation
- Implement multi-factor authentication for administrative access where supported
- Monitor for unauthorized access attempts while planning upgrade deployment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
