Severity by source
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis True Image (Windows) before build 42902.
AnalysisAI
Local privilege escalation in Acronis True Image (Windows) before build 42902 allows authenticated users with low privileges to gain high-integrity access through DLL hijacking. An attacker with local user access can exploit unsafe DLL loading to execute arbitrary code with elevated permissions, requiring user interaction (e.g., triggering a specific application action). No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
This vulnerability stems from CWE-427 (Uncontrolled Search Path Element), a classic DLL hijacking weakness in Windows applications. Acronis True Image loads dynamic libraries without properly validating their source or search order, allowing an attacker to place a malicious DLL in a location where the application searches before the legitimate system directory. The attack exploits the Windows DLL loading mechanism, particularly when applications use relative paths or search the current working directory before system directories. The affected product (CPE: cpe:2.3:a:acronis:acronis_true_image:*:*:*:*:*:*:*:*) uses unsafe library resolution that fails to enforce code signing or validate DLL integrity before loading.
RemediationAI
Upgrade Acronis True Image (Windows) to build 42902 or later, which contains the fix for the DLL hijacking vulnerability. Users can verify their current build number via Help > About or the system tray application menu. Acronis recommends applying this update as soon as possible, especially in multi-user environments where non-administrators routinely use the product. As a temporary mitigation, restrict permissions on Acronis application directories to prevent unprivileged users from writing DLL files to locations that the application searches during startup. However, this workaround is not a substitute for patching and should only be deployed when immediate upgrade is impossible. Refer to the official advisory at https://security-advisory.acronis.com/advisories/SEC-10057 for detailed update instructions and validation steps.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18418
GHSA-phg3-8rj7-h8r5