{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28725", "assignerOrgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", "state": "PUBLISHED", "assignerShortName": "Acronis", "dateReserved": "2026-03-03T02:29:03.754Z", "datePublished": "2026-03-05T23:56:49.496Z", "dateUpdated": "2026-03-06T19:33:51.673Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", "shortName": "Acronis", "dateUpdated": "2026-03-05T23:56:49.496Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-732", "description": "CWE-732", "type": "CWE"}]}], "affected": [{"vendor": "Acronis", "product": "Acronis Cyber Protect 17", "platforms": ["Linux", "Windows"], "versions": [{"version": "unspecified", "status": "affected", "lessThan": "41186", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Sensitive information disclosure due to improper configuration of a headless browser. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186."}], "references": [{"url": "https://security-advisory.acronis.com/advisories/SEC-8695", "name": "SEC-8695", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "value": "@vultza (https://hackerone.com/vultza)", "type": "finder"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T19:29:45.994187Z", "id": "CVE-2026-28725", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T19:33:51.673Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28725", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T19:29:45.994187Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T19:29:46.989Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "@vultza (https://hackerone.com/vultza)"}], "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Acronis", "product": "Acronis Cyber Protect 17", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "41186", "versionType": "semver"}], "platforms": ["Linux", "Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://security-advisory.acronis.com/advisories/SEC-8695", "name": "SEC-8695", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Sensitive information disclosure due to improper configuration of a headless browser. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732"}]}], "providerMetadata": {"orgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", "shortName": "Acronis", "dateUpdated": "2026-03-05T23:56:49.496Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28725", "state": "PUBLISHED", "dateUpdated": "2026-03-06T19:33:51.673Z", "dateReserved": "2026-03-03T02:29:03.754Z", "assignerOrgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", "datePublished": "2026-03-05T23:56:49.496Z", "assignerShortName": "Acronis"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:acronis:cyber_protect:*:*:*:*:*:*:*:*", "matchCriteriaId": "52FF13FE-B050-4333-B0E3-F7EE4AA98520", "versionEndExcluding": "17.0.41186", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sensitive information disclosure due to improper configuration of a headless browser. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186."}, {"lang": "es", "value": "Revelaci\u00f3n de informaci\u00f3n sensible debido a la configuraci\u00f3n incorrecta de un navegador sin interfaz gr\u00e1fica. Los siguientes productos est\u00e1n afectados: Acronis Cyber Protect 17 (Linux, Windows) anterior a la compilaci\u00f3n 41186."}], "id": "CVE-2026-28725", "lastModified": "2026-03-13T16:38:17.687", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security@acronis.com", "type": "Secondary"}]}, "published": "2026-03-06T00:16:13.627", "references": [{"source": "security@acronis.com", "tags": ["Vendor Advisory"], "url": "https://security-advisory.acronis.com/advisories/SEC-8695"}], "sourceIdentifier": "security@acronis.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "security@acronis.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["Linux", "Windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,41186)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "acronis_cyber_protect_17", "vendor": "acronis"}], "analysis": {"en": {"generated_at": "2026-04-17T12:29:46.991166+00:00", "value": {"mitigation_remediation": ["Apply the latest Acronis Cyber Protect\u00a017 update (build\u202f41186 or later).", "If an update is unavailable, reconfigure the headless browser to restrict its privileges and disable any features that expose internal data.", "Audit system configurations to ensure no residual misconfigurations in the headless browser remain, and verify that only necessary services are running.", "Monitor security logs for unusual headless browser activity to detect potential exploitation attempts."], "summary": {"action": "Patch", "impact": "Sensitive Information Disclosure"}, "threat_synthesis": {"affected_systems": "Affected systems include Acronis Cyber Protect\u00a017 on Linux and Windows. The vulnerable builds are any versions prior to build\u00a041186. No other product versions are currently known to be impacted.", "description_and_impact": "The vulnerability arises from an improper configuration of the headless browser component in Acronis Cyber Protect\u00a017, enabling internal data to be accessed or transmitted beyond its intended boundary. As a result, confidential information such as configuration details or authentication data can be exposed, directly compromising confidentiality of the affected environment.\n\nThe flaw specifically targets the headless browser\u2019s misconfigured permissions. When an attacker can influence the browser\u2019s request handling, they may retrieve sensitive payloads that are normally protected. The damage is limited to information disclosure; there is no evidence of code execution or denial of service.\n\nAcronis Cyber Protect\u00a017 users on both Linux and Windows platforms running builds before 41186 are impacted. The CVSS base score of 5.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, and while the exact attack vector is inferred to involve exploitation of local or compromised accounts interacting with the headless browser, no direct remote exploitation path has been documented.", "risk_and_exploitability": "The CVSS base score of 5.5 signals moderate severity, while the EPSS score of less than 1% indicates a low probability of exploitation. The exploit does not appear in the CISA KEV catalog. The vulnerability is likely to be abused by an attacker who has local or compromised access to the system and can interact with the headless browser component; no direct remote exploitation path has been documented. The flaw permits the leakage of confidential data but does not grant code execution, escalation of privilege, or denial of service."}}}}, "created": "2026-03-06T14:56:17.481867+00:00", "title": "Headless Browser Configuration Leak Exposes Sensitive Information", "updated": "2026-04-17T12:30:06.284819+00:00", "vendors": ["acronis", "acronis$PRODUCT$acronis_cyber_protect_17"]}