Acronis Cyber Protect faces a maximum-severity risk where improper authentication allows unauthenticated attackers to disclose or alter critical system and backup data.

Similar to related entries in this series, this vulnerability involves a failure in the authentication mechanism. It enables an attacker to interact with the software's data management functions without proper identity verification, leading to unauthorized data manipulation.

The CVSS score of 10.0 reflects a total compromise of the affected system. In the context of backup software, this allows for the destruction of archives and the theft of sensitive organizational secrets. The impact on business operations is catastrophic, as the integrity of all backed-up data can no longer be guaranteed once an attacker gains this level of access.

Immediate Action: Apply the latest security updates (Build 39938 for v16; Build 41800 for v15) to all Acronis agents and management servers.

Proactive Monitoring: Monitor network traffic for unusual outbound data transfers from the backup server and review all recent configuration changes within the Acronis console.

Compensating Controls: Implement robust egress filtering to prevent the management server from communicating with unknown external IP addresses, limiting the impact of data disclosure.

Public Exploit Available: No

This vulnerability represents a critical failure in the security boundary of a high-privilege application. Given the CVSS 10.0 rating, the primary remediation (patching) must be executed within the current change window. Ensure all backup repositories are verified for integrity following the update.