Skip to main content

Microsoft CVE-2026-33271

| EUVDEUVD-2026-18424 MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-04-02 Acronis
6.7
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.7 MEDIUM
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
42902
EUVD ID Assigned
Apr 02, 2026 - 17:30 euvd
EUVD-2026-18424
Analysis Generated
Apr 02, 2026 - 17:30 vuln.today
CVE Published
Apr 02, 2026 - 17:06 nvd
MEDIUM 6.7

DescriptionCVE.org

Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis True Image (Windows) before build 42902.

AnalysisAI

Local privilege escalation in Acronis True Image for Windows before build 42902 allows authenticated users with low privileges to escalate to higher privileges through insecure folder permissions. An attacker with local access and user-level privileges can exploit improper permission settings on critical directories to achieve full system compromise, requiring user interaction (file execution or folder navigation). This vulnerability has a CVSS score of 6.7 reflecting high confidentiality, integrity, and availability impact despite the elevated barriers to exploitation.

Technical ContextAI

The vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource), a class of weakness involving improper access controls on sensitive directories or files. Acronis True Image, a disk imaging and backup utility for Windows, fails to properly restrict permissions on folders that are critical to its operation or to system functionality. This allows an authenticated local user with limited privileges to modify or execute files within these directories, bypassing Windows' standard permission model. The attack vector is local (AV:L), indicating the attacker must have local system access, and the attack complexity is high (AC:H), suggesting the exploitation path is non-trivial and may require specific conditions or user interaction.

RemediationAI

Acronis has released a patched version addressing this vulnerability in build 42902 and later. Users should upgrade Acronis True Image to build 42902 or a more recent version to remediate the insecure folder permissions. The official security advisory at https://security-advisory.acronis.com/advisories/SEC-9108 provides detailed guidance on obtaining and applying the patch. If immediate upgrade is not feasible, restrict local system access to trusted users only and monitor for suspicious file modifications within Acronis installation directories.

Share

CVE-2026-33271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy