CVE-2023-45249: Critical RCE Vulnerability in Acronis Cyber Infrastructure Under Attack

Acronis has announced a critical vulnerability in its Acronis Cyber Infrastructure (ACI) product, which, despite being patched, had already been actively exploited by hackers.

The vulnerability, identified as CVE-2023-45249 and rated 9.8 on the CVSS scale, allows for remote code execution and is linked to the use of default passwords.

The following versions of ACI are affected:

• Versions up to 5.0.1-61;
• Versions up to 5.1.1-71;
• Versions up to 5.2.1-69;
• Versions up to 5.3.1-53;
• Versions up to 5.4.4-132.

The vulnerability was addressed in updates 5.4 update 4.2, 5.2 update 1.3, 5.3 update 1.3, 5.0 update 1.4, and 5.1 update 1.2, released in late October 2023.

Currently, there is no detailed information on how the vulnerability is being exploited in real attacks or who is responsible. Nevertheless, Acronis has confirmed instances of active exploitation, urging users of affected ACI versions to update to the latest version as soon as possible to mitigate potential threats.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2023-45249 to its Known Exploited Vulnerabilities (KEV) catalog and has mandated that U.S. Federal Civilian Executive Branch (FCEB) agencies rectify this issue in their systems by August 19, 2024.