CVE-2026-28710
Published: 06 March 2026
Description
Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
Mitigating Controls (NIST 800-53 r5)AI
Directly counters improper authentication by limiting and documenting actions permitted without identification or authentication, preventing unauthenticated disclosure and manipulation of sensitive information.
Enforces approved access control policies to block unauthenticated remote access, comprehensively mitigating the vulnerability's high-impact confidentiality, integrity, and availability effects.
Requires robust identification and authentication for non-organizational users, such as remote attackers, to prevent exploitation of the improper authentication flaw.
Security SummaryAI
CVE-2026-28710, published on 2026-03-06, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) that enables sensitive information disclosure and manipulation due to improper authentication. It affects Acronis Cyber Protect 17 on Linux and Windows platforms prior to build 41186, mapped to CWE-1390.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, including disclosure and manipulation of sensitive information.
The Acronis security advisory SEC-9137 provides details on mitigation and patches, available at https://security-advisory.acronis.com/advisories/SEC-9137.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a network-accessible service in Acronis Cyber Protect directly enables T1190: Exploit Public-Facing Application for initial access, sensitive information disclosure, and manipulation.