CVE-2026-28710
Published: 06 March 2026
Summary
CVE-2026-28710 is a critical-severity Weak Authentication (CWE-1390) vulnerability in Acronis Cyber Protect. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-28710, published on 2026-03-06, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) that enables sensitive information disclosure and manipulation due to improper authentication. It affects Acronis Cyber Protect 17 on Linux and Windows platforms prior to build 41186, mapped to CWE-1390.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, including disclosure and manipulation of sensitive information.
The Acronis security advisory SEC-9137 provides details on mitigation and patches, available at https://security-advisory.acronis.com/advisories/SEC-9137.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9945
Vulnerability details
Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a network-accessible service in Acronis Cyber Protect directly enables T1190: Exploit Public-Facing Application for initial access, sensitive information disclosure, and manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters improper authentication by limiting and documenting actions permitted without identification or authentication, preventing unauthenticated disclosure and manipulation of sensitive information.
Enforces approved access control policies to block unauthenticated remote access, comprehensively mitigating the vulnerability's high-impact confidentiality, integrity, and availability effects.
Requires robust identification and authentication for non-organizational users, such as remote attackers, to prevent exploitation of the improper authentication flaw.