Skip to main content

Microsoft CVE-2026-28728

| EUVDEUVD-2026-18420 MEDIUM
Uncontrolled Search Path Element (CWE-427)
2026-04-02 Acronis GHSA-r5hg-g2g5-9h8f
6.7
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.7 MEDIUM
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
42902
EUVD ID Assigned
Apr 02, 2026 - 17:30 euvd
EUVD-2026-18420
Analysis Generated
Apr 02, 2026 - 17:30 vuln.today
CVE Published
Apr 02, 2026 - 17:04 nvd
MEDIUM 6.7

DescriptionCVE.org

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis True Image (Windows) before build 42902.

AnalysisAI

Local privilege escalation in Acronis True Image for Windows before build 42902 exploits DLL hijacking to allow authenticated users to escalate privileges. An attacker with local access and valid credentials can manipulate DLL load paths during application execution, requiring user interaction (such as opening a file or launching a feature), to gain elevated system privileges. This vulnerability has a CVSS score of 6.7 and affects all versions prior to the patched build.

Technical ContextAI

The vulnerability stems from CWE-427 (Uncontrolled Search Path Element), a classic DLL hijacking flaw where the application searches for dynamically loaded libraries in directories where an attacker can place malicious DLL files before the legitimate system directories are checked. Acronis True Image, a Windows-based backup and system imaging utility, fails to implement secure DLL loading practices such as hardcoded absolute paths or DLL pinning. The attack requires local file system access and exploitation is contingent on a user interaction trigger-the application must execute code that attempts to load the hijacked DLL. This is a local-attack-vector vulnerability (AV:L) with high complexity (AC:H) reflecting the need for specific conditions and user action (UI:R) to succeed.

RemediationAI

Users should upgrade Acronis True Image for Windows to build 42902 or later, which contains the vendor-released patch addressing the DLL hijacking vulnerability. The patch implements secure DLL loading mechanisms to prevent untrusted search-path exploitation. Detailed upgrade instructions and the patched build availability are provided in the Acronis advisory at https://security-advisory.acronis.com/advisories/SEC-10401. Until patching is possible, users should restrict local access to systems running vulnerable versions and avoid opening untrusted files or features from directories where attackers might stage malicious DLLs.

Share

CVE-2026-28728 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy