CVE-2023-45249
Published: 24 July 2024
Summary
CVE-2023-45249 is a critical-severity Use of Default Password (CWE-1393) vulnerability in Acronis Cyber Infrastructure. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2023-45249 is a remote command execution vulnerability caused by the use of default passwords. It affects Acronis Cyber Infrastructure (ACI) builds prior to 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132. The flaw carries a CVSS 3.1 score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated attacker with network access can exploit the default credentials to obtain remote command execution, resulting in full compromise of confidentiality, integrity, and availability on the affected ACI installation. The same exposure allows an adversary to move laterally or persist within the environment once initial access is gained.
Acronis security advisory SEC-6452 directs customers to upgrade to the fixed builds listed above. The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, and independent reporting confirms it has been exploited in the wild. Its EPSS score of 0.9348 indicates sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-49555
Vulnerability details
Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before…
more
build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.
- CWE(s)
- KEV Date Added
- 29 July 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires changing default authenticators upon system installation, eliminating the exact root cause of unauthenticated remote command execution via default passwords.
Enforces access control decisions so that network access is denied unless valid, non-default credentials are presented, blocking the unauthenticated RCE path.
Requires identification and authentication of users before allowing any system access, mitigating the unauthenticated remote exploitation vector.