Cyber Resilience

CVE-2023-45249

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 24 July 2024

Published
24 July 2024
Modified
22 October 2025
KEV Added
29 July 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9348 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-45249 is a critical-severity Use of Default Password (CWE-1393) vulnerability in Acronis Cyber Infrastructure. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2023-45249 is a remote command execution vulnerability caused by the use of default passwords. It affects Acronis Cyber Infrastructure (ACI) builds prior to 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132. The flaw carries a CVSS 3.1 score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated attacker with network access can exploit the default credentials to obtain remote command execution, resulting in full compromise of confidentiality, integrity, and availability on the affected ACI installation. The same exposure allows an adversary to move laterally or persist within the environment once initial access is gained.

Acronis security advisory SEC-6452 directs customers to upgrade to the fixed builds listed above. The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, and independent reporting confirms it has been exploited in the wild. Its EPSS score of 0.9348 indicates sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before…

more

build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.

CWE(s)
KEV Date Added
29 July 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

acronis
cyber infrastructure
≤ 5.0.1-61 · 5.1.1 — 5.1.1-71 · 5.2.1 — 5.2.1-69

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires changing default authenticators upon system installation, eliminating the exact root cause of unauthenticated remote command execution via default passwords.

prevent

Enforces access control decisions so that network access is denied unless valid, non-default credentials are presented, blocking the unauthenticated RCE path.

prevent

Requires identification and authentication of users before allowing any system access, mitigating the unauthenticated remote exploitation vector.

References