CVE-2026-41952 Overview
CVE-2026-41952 is a local privilege escalation vulnerability affecting Acronis DeviceLock DLP and Acronis Cyber Protect Cloud Agent on Windows. The flaw stems from improper input validation in the affected components. A local authenticated attacker can leverage the weakness to gain elevated privileges on the host. The issue is tracked under [CWE-123] (Write-what-where Condition), indicating that the input validation failure allows the attacker to influence memory writes. Acronis addressed the vulnerability in DeviceLock DLP build 9.0.93212 and Cyber Protect Cloud Agent build 42183.
Critical Impact
Successful exploitation grants high impact to confidentiality, integrity, and availability, enabling a low-privileged local user to escalate to administrative control over the Windows host.
Affected Products
- Acronis DeviceLock DLP (Windows) before build 9.0.93212
- Acronis Cyber Protect Cloud Agent (Windows) before build 42183
- Windows endpoints running the vulnerable Acronis agents
Discovery Timeline
- 2026-04-29 - CVE-2026-41952 published to NVD
- 2026-04-30 - Last updated in NVD database
Technical Details for CVE-2026-41952
Vulnerability Analysis
The vulnerability is a local privilege escalation issue in Acronis DeviceLock DLP and Acronis Cyber Protect Cloud Agent on Windows. Both products run privileged components that process input from lower-privileged contexts. The agents fail to properly validate input before acting on it, which creates a controllable condition that influences write operations within a privileged process.
Acronis classifies the weakness under [CWE-123] (Write-what-where Condition). This category covers flaws where an attacker can control both the destination address and the value written, leading to memory corruption or modification of security-sensitive data. An authenticated local user can convert this primitive into code execution within the privileged service context.
The attack requires local access and low privileges. No user interaction is needed. Because the affected services run with elevated rights, exploitation yields full control over the host.
Root Cause
The root cause is missing or insufficient sanitization of input consumed by privileged Acronis components on Windows. The service does not enforce expected ranges, types, or boundaries on values it processes, allowing crafted input to direct write operations to unintended memory or system locations. Acronis did not publish granular technical details in the public advisory.
Attack Vector
An attacker first obtains low-privileged code execution on a Windows host running a vulnerable Acronis agent. The attacker then submits crafted input to the local interface exposed by the privileged service, such as an IPC channel, named pipe, or local socket. The service processes the malformed input without adequate validation and performs an attacker-influenced write. The attacker uses the resulting primitive to escalate to SYSTEM privileges. No verified public exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-41952
Indicators of Compromise
- Unexpected child processes spawned by Acronis service binaries running as SYSTEM or LocalSystem.
- Crashes, restarts, or anomalous memory access errors logged by the DeviceLock or Cyber Protect agent service.
- Creation of new privileged local accounts or modification of service configurations shortly after agent interaction.
Detection Strategies
- Inventory Windows endpoints and confirm installed Acronis DeviceLock DLP and Cyber Protect Cloud Agent build numbers against the fixed versions.
- Monitor process lineage where Acronis service processes spawn shells, scripting hosts, or LOLBins such as cmd.exe, powershell.exe, or rundll32.exe.
- Alert on local IPC and named pipe activity from non-administrative users targeting Acronis service endpoints.
Monitoring Recommendations
- Forward Windows Security, Sysmon, and Acronis application logs to a central analytics platform for correlation.
- Track service binary integrity and configuration changes on hosts running Acronis agents.
- Baseline normal Acronis service behavior and alert on deviations such as privilege changes or unexpected token manipulation.
How to Mitigate CVE-2026-41952
Immediate Actions Required
- Upgrade Acronis DeviceLock DLP on Windows to build 9.0.93212 or later.
- Upgrade Acronis Cyber Protect Cloud Agent on Windows to build 42183 or later.
- Restrict interactive and remote logon rights on systems running the vulnerable agents to trusted administrators only.
- Audit local accounts and remove unnecessary standard users from sensitive servers running Acronis components.
Patch Information
Acronis published fixes in the Acronis Security Advisory SEC-7790. Apply DeviceLock DLP build 9.0.93212 and Cyber Protect Cloud Agent build 42183 or newer. Verify the installed version after deployment using the agent management console or by inspecting the binary version metadata on each host.
Workarounds
- No vendor-supplied workaround is documented; patching is the supported remediation path.
- Limit local logon to the affected hosts and enforce application allowlisting to reduce the pool of users who can deliver malicious input.
- Apply least-privilege policies so standard users cannot interact with sensitive local services beyond required workflows.
# Verify installed Acronis agent versions on Windows (PowerShell)
Get-CimInstance Win32_Product |
Where-Object { $_.Name -match 'Acronis (DeviceLock|Cyber Protect)' } |
Select-Object Name, Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

