Critical Acronis Cyber Infrastructure vulnerability exploited in the wild (CVE-2023-45249)
CVE-2023-45249, a critical vulnerability affecting older versions of Acronis Cyber Infrastructure, is being exploited by attackers.
About Acronis Cyber Infrastructure
Acronis is a privately held Swiss cybersecurity and data protection technology company.
Acronis Cyber Infrastructure (ACI) is an IT infrastructure solution that provides storage, compute, and network resources. Businesses and service providers use it for data storage, backup storage, creating and managing virtual machines and software-defined networks, running cloud-native applications in production environments, and more.
ACI can run on bare-metal servers and shared cloud servers, as well as inside virtual machines (though with limited services available).
About CVE-2023-45249
CVE-2023-45249 is an authentication bypass vulnerability stemming from the use of a default password.
Remote attackers may leverage it to gain access to servers running ACI:
- Version 5.0 before build 5.0.1-61
- Version 5.1 before build 5.1.1-71
- Version 5.2 before build 5.2.1-69
- Version 5.3 before build 5.3.1-53, and
- Version 5.4 before build 5.4.4-132
Upgrade ASAP
The vulnerability was fixed nine months ago in ACI v5.0 update 1.4, v5.1 update 1.2, v5.2 update 1.3, v5.3 update 1.3, and v5.4 update 4.2.
“This update contains fixes for 1 critical severity security vulnerability [CVE-2023-45249] and should be installed immediately by all users. This vulnerability is known to be exploited in the wild,” the company added to the release notes for each of those updates, and published a security advisory last week.
Acronis says the vulnerability allows remote command execution, but did not share specifics or say whether the risk of exploitation can be mitigated by changing the default password.
The company also did not share information about the nature of the attack(s), though cryptojacking and ransomware/cyber extortion seem like the most likely possibilities. We’ve asked Acronis to share more details, and will update this article when/if we receive a response.
UPDATE (July 30, 2024, 01:35 p.m. ET):
“Acronis support team received a request from a customer of Acronis Cyber Infrastructure about performance degradation. During the initial investigation, the Acronis team discovered crypto-mining software. After a prompt investigation by the security team, the vulnerability used to install the crypto-mining software was discovered, and a patch was released and delivered to the customer,” a company spokesperson shared with Help Net Security.
“Customers running the older version of Acronis Cyber Infrastructure impacted by the vulnerability were promptly informed, provided a patch and recommended upgrading to the new version. Acronis Cyber Protect Cloud, Acronis Cyber Protect and Acronis True Image customers were not affected by the vulnerability.”