CVE-2026-28723 Overview
CVE-2026-28723 is an Improper Access Control vulnerability (CWE-863) affecting Acronis Cyber Protect 17. The vulnerability allows authenticated users to delete reports without proper authorization, potentially leading to data loss and disruption of backup monitoring and compliance reporting workflows.
Critical Impact
Authenticated attackers can delete reports belonging to other users or administrators, undermining audit trails and compliance documentation within Acronis Cyber Protect environments.
Affected Products
- Acronis Cyber Protect 17 (Linux) before build 41186
- Acronis Cyber Protect 17 (Windows) before build 41186
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-28723 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-28723
Vulnerability Analysis
This vulnerability stems from insufficient access control enforcement in the report management functionality of Acronis Cyber Protect 17. The application fails to properly validate whether the authenticated user has the necessary permissions to delete specific reports before processing deletion requests.
CWE-863 (Incorrect Authorization) indicates that while authentication is performed, the subsequent authorization check to verify report ownership or administrative privileges is either missing or improperly implemented. This allows any authenticated user to potentially manipulate report identifiers in API requests to delete reports they should not have access to.
The network-based attack vector with low complexity means exploitation requires only valid user credentials and knowledge of target report identifiers. No user interaction is required, making this vulnerability straightforward to exploit once authentication is achieved.
Root Cause
The root cause is insufficient access control validation in the report deletion functionality. The application likely accepts report deletion requests based solely on authentication status without verifying whether the requesting user owns the report or has administrative privileges to delete it. This represents a classic Insecure Direct Object Reference (IDOR) pattern where object identifiers can be manipulated to access unauthorized resources.
Attack Vector
An authenticated attacker can exploit this vulnerability through the following attack pattern:
- Authentication: Attacker logs into Acronis Cyber Protect 17 with valid low-privilege credentials
- Enumeration: Attacker identifies report identifiers through the application interface or by incrementing/predicting report IDs
- Manipulation: Attacker crafts deletion requests targeting reports belonging to other users or administrators
- Execution: The application processes the deletion request without proper ownership validation, removing reports the attacker should not have access to
The vulnerability impacts data integrity by allowing unauthorized deletion of reports, which could affect compliance documentation, audit trails, and backup monitoring visibility. Organizations relying on these reports for regulatory compliance or operational monitoring may experience significant disruption.
Detection Methods for CVE-2026-28723
Indicators of Compromise
- Unusual volume of report deletion activities from single user accounts
- Report deletion requests targeting reports owned by other users or administrators
- Anomalous API calls to report management endpoints with manipulated identifiers
- Missing or gaps in expected compliance and backup reports
Detection Strategies
- Monitor Acronis Cyber Protect audit logs for report deletion events and correlate with user ownership data
- Implement alerting for bulk deletion activities or deletions performed outside normal business hours
- Review API access logs for patterns indicating IDOR exploitation attempts
Monitoring Recommendations
- Enable verbose logging for all report management operations in Acronis Cyber Protect
- Configure SIEM rules to detect authorization bypass patterns in backup management systems
- Establish baseline metrics for normal report deletion activity to identify anomalous behavior
How to Mitigate CVE-2026-28723
Immediate Actions Required
- Upgrade Acronis Cyber Protect 17 to build 41186 or later on all affected Linux and Windows systems
- Review audit logs for any suspicious report deletion activity prior to patching
- Temporarily restrict report deletion privileges to administrative accounts only if patching cannot be performed immediately
Patch Information
Acronis has addressed this vulnerability in Acronis Cyber Protect 17 build 41186. Detailed patch information is available in the Acronis Security Advisory SEC-8486.
Organizations should prioritize updating all Acronis Cyber Protect 17 installations to the patched version. The update addresses the access control validation issue by implementing proper authorization checks for report deletion operations.
Workarounds
- Implement network segmentation to limit access to Acronis Cyber Protect management interfaces
- Apply principle of least privilege by restricting user accounts to only necessary report management capabilities
- Enable additional authentication factors for administrative operations if supported
- Monitor and audit all report management activities until patching is complete
# Verify Acronis Cyber Protect build version on Linux
cat /usr/lib/Acronis/BackupAndRecovery/version
# Check Windows installation version
# Review installed version in Programs and Features or run:
# Get-ItemProperty "HKLM:\SOFTWARE\Acronis\*" | Select-Object DisplayName, DisplayVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
