CVE-2026-28728 Overview
CVE-2026-28728 is a local privilege escalation vulnerability in Acronis True Image for Windows caused by DLL hijacking [CWE-427]. Builds prior to 42902 search for and load libraries from untrusted locations, allowing a low-privileged local user to place a malicious Dynamic Link Library (DLL) that the application loads with elevated privileges. Successful exploitation grants attackers the ability to execute arbitrary code in the security context of the vulnerable process, compromising confidentiality, integrity, and availability on the affected host.
Critical Impact
A local attacker with limited privileges can escalate to higher privileges by planting a malicious DLL that Acronis True Image loads at runtime, leading to full code execution on the endpoint.
Affected Products
- Acronis True Image (Windows) builds before 42902
- Windows endpoints running vulnerable Acronis True Image installations
- Backup workstations and consumer systems with Acronis True Image deployed
Discovery Timeline
- 2026-04-02 - CVE-2026-28728 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-28728
Vulnerability Analysis
The vulnerability stems from insecure library loading behavior in Acronis True Image for Windows. The application resolves one or more DLL dependencies without enforcing a fully qualified path or restricting the DLL search order. A local user who can write to a directory included in the search path can supply a crafted DLL that gets loaded into the Acronis process. Once loaded, the attacker controlled code runs with the privileges of the calling process, which in backup software typically includes SYSTEM-level or elevated user context.
Exploitation requires local access, user interaction, and elevated complexity due to environmental conditions such as timing or specific search-path control. The flaw is tracked under CWE-427: Uncontrolled Search Path Element.
Root Cause
The root cause is improper validation of the DLL search path used by Acronis True Image components. Windows applications that call LoadLibrary without an absolute path, or that fail to invoke hardening APIs such as SetDefaultDllDirectories and SetDllDirectory, inherit the legacy search order. This order includes the application directory, current working directory, and writable directories on PATH. Attackers leverage these writable locations to introduce a rogue DLL that matches an expected import name.
Attack Vector
An attacker authenticated as a low-privileged user plants a malicious DLL in a directory writable by the user and searched by the Acronis True Image binary. When a privileged Acronis process launches or triggers the dependent component, Windows loads the planted DLL instead of the legitimate library. The DLL's DllMain executes attacker-controlled code under the elevated process token, resulting in privilege escalation. The detailed exploitation mechanics are described in the Acronis Security Advisory SEC-10401.
Detection Methods for CVE-2026-28728
Indicators of Compromise
- Presence of unexpected DLL files in directories writable by standard users alongside Acronis True Image binaries or in directories listed in PATH.
- Acronis True Image processes loading modules from non-standard paths such as user profile directories or temporary folders.
- Newly created DLL files with names matching common system or Acronis dependencies in non-system directories.
Detection Strategies
- Monitor module load events (Sysmon Event ID 7) for Acronis True Image processes loading DLLs from outside Program Files or trusted signed paths.
- Audit file creation events for DLL files written by non-administrative users into directories searched by Acronis components.
- Validate digital signatures of all DLLs loaded by Acronis processes and flag unsigned or untrusted publisher modules.
Monitoring Recommendations
- Enable PowerShell and process creation logging to capture spawning of LOLBins or scripts that stage DLL payloads.
- Track changes to environment variables such as PATH for the user and system scope.
- Alert on writes to the Acronis installation directory by accounts other than SYSTEM or TrustedInstaller.
How to Mitigate CVE-2026-28728
Immediate Actions Required
- Upgrade Acronis True Image for Windows to build 42902 or later as directed by the vendor advisory.
- Restrict write permissions on directories included in the DLL search path to administrative accounts only.
- Inventory endpoints to identify any vulnerable Acronis True Image installations and prioritize patching.
Patch Information
Acronis has released a fixed build addressing the DLL hijacking flaw. Apply build 42902 or newer of Acronis True Image for Windows. Patch details and download links are available in the Acronis Security Advisory SEC-10401.
Workarounds
- Remove write permissions for standard users on the Acronis True Image installation directory and any custom directories present in the system PATH.
- Enforce application control policies such as Windows Defender Application Control or AppLocker to block unsigned DLLs from loading into Acronis processes.
- Limit local logon rights on systems where Acronis True Image runs with elevated privileges to reduce the pool of potential attackers.
# Configuration example: audit non-system DLLs loaded by Acronis processes via Sysmon
# Add to Sysmon configuration to log image loads outside Program Files
<ImageLoad onmatch="include">
<Image condition="contains">TrueImage</Image>
<ImageLoaded condition="excludes">C:\Program Files\</ImageLoaded>
</ImageLoad>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
