CVE-2022-3405

high-risk

Published 2023-05-03

Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.

Do I need to act?

36.9% chance of exploitation in next 30 days

EPSS score — higher than 63% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

ADJACENT_NETWORK / LOW complexity

Affected Products (19)

Cyber Backup

Cyber Protect

Affected Vendors

Acronis

References (4)

Exploit https://herolab.usd.de/security-advisories/usd-2022-0008/

Vendor Advisory https://security-advisory.acronis.com/advisories/SEC-4092

Exploit https://herolab.usd.de/security-advisories/usd-2022-0008/

Vendor Advisory https://security-advisory.acronis.com/advisories/SEC-4092

/ 100

high-risk

Severity 27/34 · High

Exploitability 16/34 · Moderate

Exposure 19/34 · Moderate