Critical Authentication Bypass Flaws (CVE-2025-30410–30416) Expose Acronis Cyber Protect Backup Servers to Full Remote Takeover

Aegiron 11 mins0

Vulnerability Overview

CVE IDs: CVE-2025-30410, CVE-2025-30411, CVE-2025-30412, CVE-2025-30413, CVE-2025-30414, CVE-2025-30415, CVE-2025-30416
Affected Product: Acronis Cyber Protect (on-prem) and Cloud Agent components
Vulnerability Type: Authentication Bypass / Improper Authentication / Authorization Logic Flaws
CVSS Scores: Ranging from 9.8 to 10.0
Severity: Critical
Attack Vector: Network (Remote)
Privileges Required: None (in multiple cases)
User Interaction: Not Required
Exploitability: High
Public Exploit Availability: No confirmed public exploit kit; technical details available in vulnerability feeds. Proof-of-concept style reproduction is possible in controlled lab environments.
Impact: Confidentiality, Integrity, and Availability fully compromised

Technical Description

A group of critical authentication and authorization vulnerabilities was identified within the Acronis Cyber Protect management services and Cloud Agent API components. The affected modules failed to properly validate authentication tokens and session state under certain request conditions.

In several cases, authentication checks were either improperly implemented or could be bypassed entirely through crafted API requests. Improper validation of access control logic allowed unauthorized users to interact with management endpoints that should have required administrator authentication.

The vulnerabilities primarily affected:

  • Management API endpoints
  • Agent communication channels
  • Backup catalog services
  • Administrative configuration interfaces
  • Restore and recovery job execution endpoints

Under vulnerable builds, HTTP(S) requests directed toward specific internal API paths could be processed successfully without valid session cookies, OAuth tokens, or expected authorization headers.

This condition effectively exposed backup infrastructure to unauthorized control.

Affected Components

  • Acronis Cyber Protect 15 / 16 (on-prem deployments)
  • Acronis Cyber Protect Management Server
  • Acronis Cyber Protect Cloud Agent (Windows, Linux, macOS)
  • Web-based administrative console
  • REST API endpoints used by agents and management server

Root Cause Analysis

The vulnerabilities were caused by one or more of the following implementation flaws:

  • Missing authentication middleware on certain API routes
  • Improper validation of bearer tokens
  • Logic flaws in role-based access control enforcement
  • Failure to revalidate session state on backend operations
  • Trust assumptions between agent and server communication channels

Improper boundary enforcement between authenticated and unauthenticated API contexts was observed.

Impact Assessment

If exploited, the following actions could have been performed:

1. Unauthorized Access to Backup Metadata

Backup catalogs, system inventory data, hostnames, repository paths, and configuration details could have been retrieved.

2. Backup Data Manipulation

Recovery points could have been deleted, altered, or replaced.

3. Restore Job Abuse

Restore operations could have been triggered to attacker-controlled destinations.

4. Credential Exposure

Stored service credentials or repository authentication secrets could have been exposed.

5. Ransomware Facilitation

Deletion of backups or corruption of recovery chains could have been performed prior to ransomware deployment, effectively inhibiting system recovery.

6. Lateral Movement Enablement

Access to system images or credential material could have allowed pivoting into other infrastructure segments.

Full compromise of backup integrity should be considered possible if exploitation occurred.

Exploitation Scenario

A practical exploitation flow could occur as follows:

  1. The management server is discovered through internet scanning or internal reconnaissance.
  2. The attacker identifies exposed TCP ports associated with Acronis services (commonly HTTPS).
  3. Crafted HTTP requests are sent to API endpoints that do not enforce proper authentication.
  4. The server responds with HTTP 200 responses instead of HTTP 401/403.
  5. Administrative operations such as listing agents, exporting backup catalogs, or modifying policies are executed.
  6. Backup deletion or configuration changes are performed.
  7. Malicious payload deployment or ransomware execution follows.

No user interaction is required in many cases.

Proof of Concept (Educational)

No widely distributed exploit framework has been confirmed at this time. However, due to the nature of authentication bypass vulnerabilities, reproduction in a lab environment can be straightforward.

A simplified demonstration approach may involve:

GET /api/v2/agents HTTP/1.1
Host: vulnerable-server

If authentication enforcement is missing, a valid JSON response containing agent inventory may be returned without providing credentials.

Similarly:

POST /api/v2/backup/delete

If executed without authentication and processed successfully, it confirms improper access control.

Indicators of Compromise (IOC)

The following indicators may suggest exploitation:

  • HTTP 200 responses to administrative endpoints without Authorization headers
  • Repeated access to /api/, /management/, /backup/, /restore/ paths from unknown IP addresses
  • Sudden deletion of recovery points
  • Creation of unexpected restore tasks
  • Unexpected changes to retention policies
  • Large outbound data transfers from backup repositories
  • New administrative accounts created via API

Detection Strategy

Monitoring should focus on API misuse, abnormal access patterns, and unauthorized configuration changes.

Primary log sources:

  • Acronis Management Server logs
  • Acronis Agent logs
  • Web server access logs
  • Reverse proxy / Load balancer logs
  • Firewall logs
  • Windows Security Event Logs
  • Linux syslog / journal logs
  • SIEM correlation data

Detection Rules (Splunk)

Unauthenticated API Access

index=web_logs sourcetype=access_combined 
(uri_path="/api/*" OR uri_path="/management/*") 
| where isnull(http_authorization) OR http_authorization=""
| stats count by client_ip, uri_path, status
| where status=200

Excessive Backup Enumeration

index=web_logs uri_path="/api/*backup*" 
| stats count by client_ip 
| where count > 20

Recovery Point Deletion Detection

index=acronis_logs action="delete_recovery_point"
| stats count by user, src_ip

Suspicious Restore Execution

index=acronis_logs action="restore_start"
| stats count by user, destination_host

Detection Rules (Elastic KQL)

Unauthorized API Call

http.request.uri : "/api/*" and 
not http.request.headers.authorization : * and 
http.response.status_code : 200

Suspicious Backup Download

http.request.uri : "*download*" and 
source.ip not in ("approved_admin_ips")

Backup Deletion Monitoring

event.action : "backup_deleted"

MITRE ATT&CK Mapping

  • T1190 – Exploit Public-Facing Application
  • T1078 – Valid Accounts Abuse
  • T1490 – Inhibit System Recovery
  • T1005 – Data from Local System
  • T1041 – Exfiltration Over C2 Channel
  • T1565 – Data Manipulation

Risk Assessment

Organizations with internet-exposed management servers are at highest risk.

Environments where backup infrastructure shares network segments with domain controllers or production workloads face elevated lateral movement risk.

Managed Service Providers (MSPs) using centralized Acronis management are particularly exposed due to multi-tenant architecture.

Remediation

Immediate upgrade to vendor-released patched builds is required.

Official Security Advisory and Patch Information:

https://security-advisory.acronis.com

All management servers and agents must be updated to the latest secure build.

Post-Patch Actions

  • Validate integrity of recent backups
  • Rotate backup service credentials
  • Enforce MFA on administrative accounts
  • Restrict management interface to VPN or trusted IP ranges
  • Enable enhanced logging
  • Conduct restore testing

Hardening Recommendations

  • Place management servers in isolated management VLAN
  • Block direct internet access
  • Implement IP allowlisting
  • Enforce strong RBAC policies
  • Deploy WAF in front of management console
  • Enable anomaly detection in SIEM
  • Regularly test backup restoration capability

Executive Summary

Critical authentication bypass vulnerabilities in Acronis Cyber Protect allowed remote attackers to access and manipulate backup infrastructure without credentials. The risk included full compromise of backup integrity, deletion of recovery data, and exposure of sensitive information.

Immediate patching and log review are mandatory.

Backup infrastructure must be treated as Tier-0 security assets.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.