{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28727", "assignerOrgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", "state": "PUBLISHED", "assignerShortName": "Acronis", "dateReserved": "2026-03-03T02:29:03.754Z", "datePublished": "2026-03-05T23:45:20.331Z", "dateUpdated": "2026-04-02T17:05:54.369Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", "shortName": "Acronis", "dateUpdated": "2026-04-02T17:05:54.369Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-276", "description": "CWE-276", "type": "CWE"}]}], "affected": [{"vendor": "Acronis", "product": "Acronis Cyber Protect 17", "platforms": ["macOS"], "versions": [{"version": "unspecified", "status": "affected", "lessThan": "41186", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Acronis", "product": "Acronis Cyber Protect Cloud Agent", "platforms": ["macOS"], "versions": [{"version": "unspecified", "status": "affected", "lessThan": "41124", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Acronis", "product": "Acronis True Image", "platforms": ["macOS"], "versions": [{"version": "unspecified", "status": "affected", "lessThan": "42902", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Local privilege escalation due to insecure Unix socket permissions. The following products are affected: Acronis Cyber Protect 17 (macOS) before build 41186, Acronis Cyber Protect Cloud Agent (macOS) before build 41124, Acronis True Image (macOS) before build 42902."}], "references": [{"url": "https://security-advisory.acronis.com/advisories/SEC-9408", "name": "SEC-9408", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "value": "@aiqitut (https://hackerone.com/aiqitut)", "type": "finder"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-07T04:55:25.648024Z", "id": "CVE-2026-28727", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T13:47:56.786Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28727", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-07T04:55:25.648024Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T13:47:53.593Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "@aiqitut (https://hackerone.com/aiqitut)"}], "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Acronis", "product": "Acronis Cyber Protect 17", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "41186", "versionType": "semver"}], "platforms": ["macOS"], "defaultStatus": "unaffected"}, {"vendor": "Acronis", "product": "Acronis Cyber Protect Cloud Agent", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "41124", "versionType": "semver"}], "platforms": ["macOS"], "defaultStatus": "unaffected"}, {"vendor": "Acronis", "product": "Acronis True Image", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "42902", "versionType": "semver"}], "platforms": ["macOS"], "defaultStatus": "unaffected"}], "references": [{"url": "https://security-advisory.acronis.com/advisories/SEC-9408", "name": "SEC-9408", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Local privilege escalation due to insecure Unix socket permissions. The following products are affected: Acronis Cyber Protect 17 (macOS) before build 41186, Acronis Cyber Protect Cloud Agent (macOS) before build 41124, Acronis True Image (macOS) before build 42902."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "CWE-276"}]}], "providerMetadata": {"orgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", "shortName": "Acronis", "dateUpdated": "2026-04-02T17:05:54.369Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28727", "state": "PUBLISHED", "dateUpdated": "2026-04-02T17:05:54.369Z", "dateReserved": "2026-03-03T02:29:03.754Z", "assignerOrgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", "datePublished": "2026-03-05T23:45:20.331Z", "assignerShortName": "Acronis"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:acronis:agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE833FD9-CB6E-45A1-889C-AF6EDB5B3BD1", "versionEndExcluding": "c25.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:acronis:cyber_protect:*:*:*:*:*:*:*:*", "matchCriteriaId": "52FF13FE-B050-4333-B0E3-F7EE4AA98520", "versionEndExcluding": "17.0.41186", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Local privilege escalation due to insecure Unix socket permissions. The following products are affected: Acronis Cyber Protect 17 (macOS) before build 41186, Acronis Cyber Protect Cloud Agent (macOS) before build 41124, Acronis True Image (macOS) before build 42902."}, {"lang": "es", "value": "Escalada de privilegios local debido a permisos inseguros de socket Unix. Los siguientes productos est\u00e1n afectados: Acronis Cyber Protect 17 (macOS) anterior a la compilaci\u00f3n 41186, Acronis Cyber Protect Cloud Agent (macOS) anterior a la compilaci\u00f3n 41124."}], "id": "CVE-2026-28727", "lastModified": "2026-04-02T18:16:27.110", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security@acronis.com", "type": "Secondary"}]}, "published": "2026-03-06T00:16:13.923", "references": [{"source": "security@acronis.com", "tags": ["Vendor Advisory"], "url": "https://security-advisory.acronis.com/advisories/SEC-9408"}], "sourceIdentifier": "security@acronis.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "security@acronis.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["macOS"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,41186)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "acronis_cyber_protect_17", "vendor": "acronis"}, {"configurations": [{"platform": ["macos"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,41124)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "Acronis Cyber Protect Cloud Agent", "source": "cna", "vendor": "Acronis"}, "product": "cyber_protect_cloud_agent", "vendor": "acronis"}], "analysis": {"en": {"generated_at": "2026-04-15T19:53:32.364589+00:00", "value": {"mitigation_remediation": ["Update Acronis Cyber Protect 17 to build 41186 or later, Acronis Cyber Protect Cloud Agent to build 41124 or later, or Acronis True Image to build 42902 or later, as recommended by the vendor.", "If a patch cannot be applied immediately, modify the permissions on the vulnerable Unix socket to allow access only for privileged users, reducing the risk of local privilege escalation.", "As a temporary containment measure, stop or remove the Acronis service that creates the socket until an official fix is deployed."], "summary": {"action": "Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected products are Acronis Cyber Protect 17 for macOS before build 41186, Acronis Cyber Protect Cloud Agent for macOS before build 41124, and Acronis True Image for macOS before build 42902. Users of these builds on macOS must verify the version and ensure they are running a patched release.", "description_and_impact": "Acronis products running on macOS provide a Unix socket with permissions that are too permissive, allowing a local user to send specially crafted requests that elevate the process to root privileges. This vulnerability is categorized as CWE-276, Incorrect Default Permissions, and can lead to full system compromise if an attacker gains local access.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a medium to high severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog, which implies it has not yet been widely exploited in the wild. The likely attack vector is local: an attacker who can execute code on the machine must exploit the improper socket permissions. Once accessed, the attacker can gain system-level privileges on the affected macOS instances."}}}}, "created": "2026-03-06T14:56:35.188490+00:00", "title": "Local Privilege Escalation via Improper Unix Socket Permissions in Acronis Cyber Protect", "updated": "2026-04-15T20:00:06.620347+00:00", "vendors": ["acronis", "acronis$PRODUCT$acronis_cyber_protect_17", "acronis$PRODUCT$cyber_protect_cloud_agent"]}