{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28714", "assignerOrgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", "state": "PUBLISHED", "assignerShortName": "Acronis", "dateReserved": "2026-03-03T02:29:03.753Z", "datePublished": "2026-03-05T23:51:47.409Z", "dateUpdated": "2026-03-09T17:19:55.828Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", "shortName": "Acronis", "dateUpdated": "2026-03-05T23:51:47.409Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-522", "description": "CWE-522", "type": "CWE"}]}], "affected": [{"vendor": "Acronis", "product": "Acronis Cyber Protect 17", "platforms": ["Linux", "Windows"], "versions": [{"version": "unspecified", "status": "affected", "lessThan": "41186", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Unnecessary transmission of sensitive cryptographic material. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186."}], "references": [{"url": "https://security-advisory.acronis.com/advisories/SEC-5383", "name": "SEC-5383", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:19:49.028392Z", "id": "CVE-2026-28714", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:19:55.828Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28714", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T17:19:49.028392Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:19:52.505Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Acronis", "product": "Acronis Cyber Protect 17", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "41186", "versionType": "semver"}], "platforms": ["Linux", "Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://security-advisory.acronis.com/advisories/SEC-5383", "name": "SEC-5383", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Unnecessary transmission of sensitive cryptographic material. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522"}]}], "providerMetadata": {"orgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", "shortName": "Acronis", "dateUpdated": "2026-03-05T23:51:47.409Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28714", "state": "PUBLISHED", "dateUpdated": "2026-03-09T17:19:55.828Z", "dateReserved": "2026-03-03T02:29:03.753Z", "assignerOrgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", "datePublished": "2026-03-05T23:51:47.409Z", "assignerShortName": "Acronis"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:acronis:cyber_protect:*:*:*:*:*:*:*:*", "matchCriteriaId": "52FF13FE-B050-4333-B0E3-F7EE4AA98520", "versionEndExcluding": "17.0.41186", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unnecessary transmission of sensitive cryptographic material. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186."}, {"lang": "es", "value": "Transmisi\u00f3n innecesaria de material criptogr\u00e1fico sensible. Los siguientes productos est\u00e1n afectados: Acronis Cyber Protect 17 (Linux, Windows) anterior a la compilaci\u00f3n 41186."}], "id": "CVE-2026-28714", "lastModified": "2026-03-13T16:39:21.643", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security@acronis.com", "type": "Secondary"}]}, "published": "2026-03-06T00:16:11.900", "references": [{"source": "security@acronis.com", "tags": ["Vendor Advisory"], "url": "https://security-advisory.acronis.com/advisories/SEC-5383"}], "sourceIdentifier": "security@acronis.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "security@acronis.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["Linux", "Windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,41186)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "acronis_cyber_protect_17", "vendor": "acronis"}], "analysis": {"en": {"generated_at": "2026-04-16T11:49:03.772186+00:00", "value": {"mitigation_remediation": ["Upgrade Acronis Cyber Protect to build 41186 or later where the issue is fixed.", "Restrict outbound traffic from the Acronis components to prevent unintended transmission of cryptographic material to unauthorized destinations.", "Consult the Acronis advisory at https://security-advisory.acronis.com/advisories/SEC-5383 for additional guidance and monitor for future patches."], "summary": {"action": "Patch", "impact": "Leakage of Sensitive Cryptographic Material"}, "threat_synthesis": {"affected_systems": "Acronis Cyber Protect 17 running on Linux and Windows systems with builds older than 41186 are affected.", "description_and_impact": "The vulnerability allows the unnecessary transmission of cryptographic material, potentially exposing keys or certificates used by Acronis Cyber Protect 17. This can lead to confidentiality compromise of encryption assets and is classified as CWE\u2011522, authentication material exposure.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a medium risk, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to require attacker access to the agent or server configuration to trigger the transmission; the advisement does not specify additional conditions."}}}}, "created": "2026-03-06T14:56:27.504171+00:00", "title": "Unnecessary Transmission of Sensitive Cryptographic Material in Acronis Cyber Protect 17", "updated": "2026-04-16T12:00:11.688650+00:00", "vendors": ["acronis", "acronis$PRODUCT$acronis_cyber_protect_17"]}