CVE-2026-28722 Overview
CVE-2026-28722 is a local privilege escalation vulnerability affecting Acronis Cyber Protect 17 on Windows systems. The vulnerability stems from improper soft link (symbolic link) handling, which can be exploited by a local attacker with low privileges to escalate their permissions and gain elevated access to the system. This vulnerability is classified under CWE-610 (Externally Controlled Reference to a Resource in Another Sphere).
Critical Impact
A local attacker with limited privileges can exploit improper symbolic link handling to escalate privileges, potentially gaining full administrative control over affected Windows systems running Acronis Cyber Protect 17.
Affected Products
- Acronis Cyber Protect 17 (Windows) before build 41186
- Microsoft Windows (as the operating system platform)
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-28722 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-28722
Vulnerability Analysis
This vulnerability exists in Acronis Cyber Protect 17 due to improper validation and handling of symbolic links (soft links) during file operations. The weakness allows an attacker to create a malicious symbolic link that redirects privileged operations to unintended targets, effectively bypassing access controls and enabling privilege escalation.
When the Acronis Cyber Protect service performs file operations with elevated privileges, it fails to properly verify whether the target of a symbolic link is within an expected, safe location. An attacker can exploit this by placing a symbolic link in a location where the service operates, causing the service to perform privileged actions on arbitrary files or directories chosen by the attacker.
Root Cause
The root cause of CVE-2026-28722 is the failure to properly validate symbolic link targets before performing privileged file operations. Specifically, the affected Acronis Cyber Protect 17 component does not implement adequate checks to ensure that file operations follow symbolic links to authorized locations only. This allows an attacker to manipulate the file system through symbolic link redirection attacks.
This vulnerability falls under CWE-610 (Externally Controlled Reference to a Resource in Another Sphere), where the application uses an externally-controlled name or reference to access a resource that should be restricted.
Attack Vector
The attack vector is local, requiring the attacker to have authenticated access to the target Windows system with low-level privileges. The attack requires user interaction to execute. The exploitation scenario typically involves:
- The attacker identifies a directory or file path where Acronis Cyber Protect performs privileged operations
- The attacker creates a symbolic link pointing from this expected location to a sensitive system file or directory
- When the Acronis service executes its privileged operations, it follows the symbolic link and performs actions on the attacker-controlled target
- This can result in arbitrary file writes, overwrites, or permission changes with elevated privileges
For technical details on this vulnerability, refer to the Acronis Security Advisory SEC-8481.
Detection Methods for CVE-2026-28722
Indicators of Compromise
- Unexpected symbolic links in Acronis Cyber Protect installation or working directories
- Unusual file permission changes on system files or protected directories
- Evidence of privilege escalation attempts in Windows Security event logs
- Anomalous process behavior from Acronis services accessing unexpected file paths
Detection Strategies
- Monitor file system activity for symbolic link creation in directories used by Acronis Cyber Protect services
- Implement endpoint detection rules to identify privilege escalation patterns following symbolic link manipulation
- Review Windows Security logs for events indicating unauthorized access to protected resources
- Deploy SentinelOne behavioral AI to detect exploitation attempts targeting symbolic link vulnerabilities
Monitoring Recommendations
- Enable detailed file system auditing on Acronis Cyber Protect installation directories
- Configure alerting for any new symbolic links created in service-accessible paths
- Monitor process execution chains for indicators of privilege escalation following file operations
- Implement real-time file integrity monitoring on critical system files
How to Mitigate CVE-2026-28722
Immediate Actions Required
- Update Acronis Cyber Protect 17 to build 41186 or later immediately
- Audit systems for signs of exploitation or suspicious symbolic links in Acronis directories
- Review user access permissions and limit local access to trusted accounts only
- Enable enhanced logging and monitoring on affected systems until patching is complete
Patch Information
Acronis has released a security update addressing this vulnerability. Organizations should update Acronis Cyber Protect 17 on Windows to build 41186 or later. The security advisory with complete patch details is available at the Acronis Security Advisory SEC-8481.
Workarounds
- Restrict local user access to systems running vulnerable versions of Acronis Cyber Protect
- Implement strict access controls on directories used by Acronis services
- Enable Windows Defender Credential Guard and other hardening measures to limit privilege escalation impact
- Monitor and alert on symbolic link creation in sensitive directories as a compensating control until patches can be applied
# Configuration example - Restrict symbolic link creation permissions
# Limit which users can create symbolic links on Windows systems
# Check current symbolic link permissions
fsutil behavior query SymlinkEvaluation
# Restrict symbolic link evaluation (requires Administrator privileges)
fsutil behavior set SymlinkEvaluation L2L:0 R2R:0 L2R:0 R2L:0
# Enable auditing for file system object access
auditpol /set /subcategory:"File System" /success:enable /failure:enable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
