# Advisory on Acronis Vulnerabilities

On April 29, 2024, Acronis disclosed multiple vulnerabilities in Cyber Protect Agent. As per the advisory published by Acronis, the following are the vulnerability details:

| CVE ID                                                                                                                                                                                                                    | Vulnerability                                                                                                |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
| [<mark style="color:blue;">CVE-2024-34010</mark>](https://security-advisory.acronis.com/advisories/SEC-7110) [<mark style="color:blue;">CVE-2024-34011</mark>](https://security-advisory.acronis.com/advisories/SEC-7171) | Related to local privilege escalation. These vulnerabilities allow an attacker to escalate their privileges. |
| [<mark style="color:blue;">CVE-2023-48684</mark>](https://security-advisory.acronis.com/advisories/SEC-6021) [<mark style="color:blue;">CVE-2023-48683</mark>](https://security-advisory.acronis.com/advisories/SEC-5899) | Manipulates sensitive information without authorization.                                                     |

The most severe of these vulnerabilities is [<mark style="color:blue;">CVE-2024-34010</mark>](https://security-advisory.acronis.com/advisories/SEC-7110) and is classified as a **High** severity with CVSS score of **8.2**. The attack vectors related to these vulnerabilities are still not known.

## Impacted IONOS Cloud Products

| Product Ranges   | Product                                                                                                                          | Impacted | Mitigated      | Patch Status   |
| ---------------- | -------------------------------------------------------------------------------------------------------------------------------- | -------- | -------------- | -------------- |
| Storage & Backup | [<mark style="color:blue;">Backup Service</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/backup-service) | No       | Not Applicable | Not Applicable |
| Storage & Backup | Acronis Agent for Windows, Linux, and Mac                                                                                        | Yes      | Yes            | Done           |

## What action has IONOS Cloud taken to mitigate the severity?

There are no signs of active exploitation resulting from these vulnerabilities. These vulnerabilities do not allow unauthorized access to IONOS Cloud users’ backup data. IONOS Cloud is already in the process of rolling out patched agents for Storage & Backup users.

## What action can you take to mitigate the vulnerability?

You can enable auto-update; the vulnerable agent is automatically updated after May 6, 2024. You can download the non-vulnerable agent from the **Downloads** section in the [<mark style="color:blue;">Backup Unit Management</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/backup-service/how-tos/manage-backup-units) console if the auto-update is not enabled.

If you have further questions or concerns about this vulnerability, contact [<mark style="color:blue;">IONOS Cloud Support</mark>](https://docs.ionos.com/cloud/support/general-information/contact-information).

## References

[<mark style="color:blue;">Acronis Advisory Database</mark>](https://security-advisory.acronis.com/advisories)