CVE-2020-16171

high-risk
Published 2020-09-21

An issue was discovered in Acronis Cyber Backup before 12.5 Build 16342. Some API endpoints on port 9877 under /api/ams/ accept an additional custom Shard header. The value of this header is afterwards used in a separate web request issued by the application itself. This can be abused to conduct SSRF attacks against otherwise unreachable Acronis services that are bound to localhost such as the NotificationService on 127.0.0.1:30572.

Do I need to act?

!
11.2% chance of exploitation in next 30 days
EPSS score — higher than 89% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
49113
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (16)

Affected Vendors

Acronis

References (4)

Exploit http://seclists.org/fulldisclosure/2020/Sep/33
Third Party Advisory https://www.rcesecurity.com/2020/09/CVE-2020-16171-Exploiting-Acronis-Cyber-Back...
Exploit http://seclists.org/fulldisclosure/2020/Sep/33
Third Party Advisory https://www.rcesecurity.com/2020/09/CVE-2020-16171-Exploiting-Acronis-Cyber-Back...
53
/ 100
high-risk
Severity 24/34 · High
Exploitability 11/34 · Low
Exposure 18/34 · Moderate