Acronis

Image: Midjourney

​Acronis warned customers to patch a critical Cyber Infrastructure security flaw that lets attackers bypass authentication on vulnerable servers using default credentials.

Acronis Cyber Infrastructure (ACI) is a unified multi-tenant platform for cyber protection that combines remote endpoint management, backup, and virtualization capabilities. It's also designed to run disaster recovery workloads and store enterprise backup data securely.

Unauthenticated attackers can exploit the vulnerability (tracked as CVE-2023-45249) in low-complexity attacks that don't require user interaction to gain remote code execution on unpatched ACI servers.

The CVE-2023-45249 flaw was patched nine months ago and impacts multiple products, including:

  • Acronis Cyber Infrastructure (ACI) before build 5.0.1-61 (patched in ACI 5.0 update 1.4),
  • Acronis Cyber Infrastructure (ACI) before build 5.1.1-71 (patched in ACI 5.1 update 1.2),
  • Acronis Cyber Infrastructure (ACI) before build 5.2.1-69 (patched in ACI 5.2 update 1.3),
  • Acronis Cyber Infrastructure (ACI) before build 5.3.1-53 (patched in ACI 5.3 update 1.3),
  • Acronis Cyber Infrastructure (ACI) before build 5.4.4-132 (patched in ACI 5.4 update 4.2).

Earlier this week, the company confirmed in a new security advisory that the bug has been exploited in attacks and warned admins to patch their installation as soon as possible.

"This update contains fixes for 1 critical severity security vulnerability and should be installed immediately by all users. This vulnerability is known to be exploited in the wild," Acronis said.

"Keeping the software up to date is important to maintain the security of your Acronis products. For guidelines on the availability of support and security updates, see Acronis products support lifecycle."

To check if your servers are vulnerable, you can find Acronis Cyber Infrastructure's build number by going into the Help -> About dialog box from the software's main window.

To update ACI to the latest available build, you have to:

  1. Log in to your account (you can create one and register your licenses using these instructions).
  2. Download the latest ACI build in the "Products" section and install it on vulnerable servers.

Acronis shared the following statement about the flaw with BleepingComputer.

"CVE-2023-45249 pertains to remote command execution vulnerability due to the use of default passwords. The Acronis security team has conducted a thorough analysis and assessed the critical risk level.

We have already implemented a patch to address this issue; the patch has been released and deployed. We have advised customers to upgrade to the latest version of Acronis Cyber Infrastructure (ACI) in order to fix the vulnerability.

The patch and fix were made available 9 months ago when the vulnerability was first detected. Customers should follow patch protocols posted here: https://security-advisory.acronis.com/advisories/SEC-6452."

Update 7/29/24: Updated article to fix incorrect mention of Acronis Cyber Protect and added a statement.

Related Articles:

Zero-Day Bug in KDE 4/5 Executes Commands by Opening a Folder

Hackers hijack Citrix NetScaler login pages to steal credentials

Netscaler ADC bug exploited to breach US critical infrastructure org

Palo Alto Networks warns of potential PAN-OS RCE vulnerability

Microsoft SharePoint RCE bug exploited to breach corporate network