CVE-2022-3405

HIGH

Acronis Cyber Protect < 29486 and Cyber Backup < 16545 - Improper Privilege Management

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-3405. Includes Metasploit module auxiliary/gather/acronis_cyber_protect_machine_info_disclosure.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass vulnerability in Acronis Cyber Protect/Backup to disclose machine information by registering a dummy agent and retrieving admin-level bearer tokens.

Description

Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.

Exploits (2)

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/acronis_cyber_protect_machine_info_disclosure.rb

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass vulnerability in Acronis Cyber Protect/Backup to disclose machine information by registering a dummy agent and retrieving admin-level bearer tokens.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Acronis Cyber Protect 15 (before build 29486) and Acronis Cyber Backup 12.5 (before build 16545)

No auth needed

Prerequisites: Network access to the Acronis appliance on port 9877/TCP

MITRE ATT&CK

T1110 - Brute Force T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/acronis_cyber_protect_unauth_rce_cve_2022_3405.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-3405 in Acronis Cyber Protect/Backup by leveraging unauthenticated API access to register a new agent, retrieve an admin-level bearer token, and execute arbitrary commands via backup plan pre-commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Acronis Cyber Protect 15 (before build 29486) and Acronis Cyber Backup 12.5 (before build 16545)

No auth needed

Prerequisites: Network access to the Acronis Cyber Protect/Backup appliance on port 9877

MITRE ATT&CK

T1189 - Drive-by Compromise T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://security-advisory.acronis.com/advisories/SEC-4092

Exploit, Third Party Advisory

https://herolab.usd.de/security-advisories/usd-2022-0008/

Scores

CVSS v3 8.8

EPSS 0.0532

EPSS Percentile 91.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-269

Status published

Products (2)

acronis/cyber_backup 12.5 (15 CPE variants)

acronis/cyber_protect 15 (4 CPE variants)

Published May 03, 2023

Tracked Since Feb 18, 2026