Advisory on CVE-2023-45247

Sensitive information disclosure and manipulation due to missing authorization

On October 9, 2023, Acronis disclosed a vulnerability in its Acronis Agent for Linux, Mac, and Windows. This vulnerability may allow an unauthorized attacker to view and manipulate antivirus and antimalware protection plans applied to a specific agent. CVE-2023-45247 ID has been assigned to this vulnerability and classified as having high severity.

Impacted IONOS Cloud Products

Product Ranges	Product	Impacted	Mitigated	Patch Status
Managed Services	Backup Service	No	Not applicable	Not applicable
Managed Services	Acronis Agent for Windows, Linux, and Mac	Yes	No	Will be available in late November

Product Ranges

Product

Impacted

Mitigated

Patch Status

Managed Services

Backup Service

Not applicable

Managed Services

Acronis Agent for Windows, Linux, and Mac

Yes

Will be available in late November

What action has IONOS Cloud taken to mitigate the severity?

IONOS and Acronis are in constant communication to gain a deeper understanding of this vulnerability and also ensure that:

There are no signs of active exploitation resulting from the vulnerability. For more information, see Acronis Cyber Protect Cloud Agent update C23.10.
The vulnerability does not allow unauthorized access to IONOS Cloud customers’ backup data. IONOS Cloud will publish the non-vulnerable versions of agents when Acronis shares the information, estimated to be by the end of November 2023.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

PreviousAdvisory on CVE-2023-45248 NextAdvisory on CVE-2022-40982

Last updated 4 months ago