CVE-2026-28728 Overview
CVE-2026-28728 is a local privilege escalation vulnerability caused by DLL hijacking in Acronis True Image for Windows. This vulnerability allows attackers with local access and low privileges to potentially escalate their privileges by exploiting improper control over dynamically loaded library search paths. Successful exploitation requires user interaction and occurs under high attack complexity conditions.
Critical Impact
Attackers can achieve high impact to confidentiality, integrity, and availability by hijacking DLL loading mechanisms in Acronis True Image, potentially gaining elevated privileges on the affected system.
Affected Products
- Acronis True Image (Windows) before build 42902
Discovery Timeline
- April 2, 2026 - CVE-2026-28728 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-28728
Vulnerability Analysis
This vulnerability falls under CWE-427 (Uncontrolled Search Path Element), a common weakness that occurs when an application searches for critical resources, such as DLL files, in a location that is under the control of an attacker. In this case, Acronis True Image for Windows fails to properly restrict the locations from which it loads dynamic-link libraries during execution.
DLL hijacking attacks exploit the Windows DLL search order mechanism. When an application attempts to load a DLL without specifying a fully qualified path, Windows searches through a predefined set of directories. If an attacker can place a malicious DLL in a location that Windows searches before the legitimate DLL location, the malicious DLL will be loaded instead.
The local attack vector combined with high complexity requirements indicates that while exploitation is possible, it requires specific conditions to be met, including local access to the system and some form of user interaction to trigger the vulnerable code path.
Root Cause
The root cause of CVE-2026-28728 is improper control over the search path used by Acronis True Image when loading DLL libraries. The application does not adequately validate or restrict the directories from which DLLs are loaded, allowing an attacker to place a malicious DLL in a directory that is searched before the intended library location. This is a classic manifestation of CWE-427 (Uncontrolled Search Path Element).
Attack Vector
The attack requires local access to the target system. An attacker with low privileges must place a specially crafted malicious DLL in a directory that Acronis True Image searches during execution. The attacker must then wait for or induce a legitimate user to perform an action that triggers the application to load the hijacked DLL. Upon loading, the malicious DLL executes with the privileges of the Acronis True Image process, which may include elevated system permissions depending on the application's execution context.
The high attack complexity rating indicates that successful exploitation depends on conditions beyond the attacker's direct control, such as specific installation configurations, directory permissions, or timing of user actions.
Detection Methods for CVE-2026-28728
Indicators of Compromise
- Presence of unexpected or unsigned DLL files in Acronis True Image installation directories or common DLL hijacking locations
- DLL files with names matching legitimate Acronis libraries but located in user-writable directories
- Unusual process behavior or child processes spawned from Acronis True Image executables
- File system changes in directories associated with the DLL search path
Detection Strategies
- Monitor for DLL loading events from non-standard or user-writable directories by Acronis True Image processes
- Implement application whitelisting to detect loading of unsigned or untrusted DLLs
- Use endpoint detection tools to identify process injection or privilege escalation attempts following Acronis application execution
- Audit file creation events in directories within the Windows DLL search path
Monitoring Recommendations
- Enable Windows Event Logging for DLL load operations (Sysmon Event ID 7) to track library loading behavior
- Configure SentinelOne behavioral AI to detect anomalous DLL loading patterns associated with privilege escalation
- Monitor for unexpected modifications to directories containing Acronis True Image binaries
- Alert on execution of unsigned code within the context of Acronis processes
How to Mitigate CVE-2026-28728
Immediate Actions Required
- Update Acronis True Image for Windows to build 42902 or later
- Review and restrict write permissions on directories in the DLL search path
- Audit systems for any suspicious DLL files in Acronis installation directories
- Enable application control policies to prevent execution of untrusted code
Patch Information
Acronis has addressed this vulnerability in Acronis True Image for Windows build 42902. Users should update to this version or later to remediate the DLL hijacking vulnerability. Detailed patch information is available in the Acronis Security Advisory SEC-10401.
Workarounds
- Restrict user write access to directories in the Windows DLL search path
- Implement application whitelisting solutions to prevent execution of unauthorized DLLs
- Configure Windows Defender Application Control (WDAC) or AppLocker policies to block unsigned code execution
- Use SentinelOne's application control features to prevent DLL hijacking attempts
# Verify Acronis True Image build version
# Navigate to Acronis installation directory and check version
dir "C:\Program Files (x86)\Acronis\TrueImageHome" /A
# Audit directory permissions to restrict write access
icacls "C:\Program Files (x86)\Acronis" /verify
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
