Cyber Resilience

CVE-2025-11791

High

Published: 06 March 2026

Published
06 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0002 4.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11791 is a high-severity Missing Authorization (CWE-862) vulnerability in Acronis Agent. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2025-11791 is a vulnerability involving sensitive information disclosure and manipulation due to insufficient authorization checks, mapped to CWE-862. It affects Acronis Cyber Protect 17 on Linux, macOS, and Windows prior to build 41186, as well as Acronis Cyber Protect Cloud Agent on the same platforms prior to build 41124. The vulnerability has a CVSS v3.1 base score of 7.1, with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating high impacts on confidentiality and integrity but no availability impact.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to disclose sensitive information and manipulate data, potentially compromising the integrity of protected systems or data within the Acronis environment.

For mitigation details, refer to the Acronis security advisory at https://security-advisory.acronis.com/advisories/SEC-9405, which was published on 2026-03-06.

EU & UK References

Vulnerability details

Sensitive information disclosure and manipulation due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186, Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 41124.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Local low-priv authorization bypass directly enables unauthorized reading of sensitive data from the local system (T1005) and stored data manipulation (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35561Same product: Apple Macos
CVE-2026-0905Same product: Apple Macos
CVE-2026-28710Same product: Acronis Cyber Protect
CVE-2026-28718Same product: Acronis Cyber Protect
CVE-2025-24181Same product: Apple Macos
CVE-2026-9981Same product: Apple Macos
CVE-2026-21218Same product: Apple Macos
CVE-2026-42899Same product: Apple Macos
CVE-2026-30797Same product: Apple Macos
CVE-2026-32178Same product: Apple Macos

Affected Assets

acronis
agent
≤ c25.10
acronis
cyber protect
≤ 17.0.41186

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks before permitting access to sensitive data or functions, addressing the root cause of CWE-862 in the Acronis agent.

prevent

Limits privileges of local accounts so that even a successful bypass yields only minimal data exposure or modification rights.

prevent

Ensures access-control decisions are made by a trusted, centralized mechanism rather than relying on incomplete local checks inside the agent.

References