CVE-2022-44746 - Sensitive Information Disclosure in Acronis Cyber Protect Home Office due to Insecure Folder Permissions

In late 2022, a significant vulnerability tracked as CVE-2022-44746 was discovered in the widely-used backup software Acronis Cyber Protect Home Office for Windows. This security flaw, present in versions released before build 40107, can allow malicious users to access sensitive information due to overly permissive folder settings.

If you use Acronis Cyber Protect Home Office or are responsible for systems protection, this long read will help you understand how the vulnerability works, see the technical details–including code snippets for exploitation and auditing–and above all, learn how to stay secure.

What’s the Problem?

Backup tools like Acronis Cyber Protect Home Office (formerly known as Acronis True Image) are meant to keep your data safe. Ironically, earlier versions exposed user data to attackers on the same system due to improperly configured folder permissions.

Put simply: specific application folders, meant only for use by administrators or Acronis itself, were left too open, allowing other users or malicious software to read sensitive data. In some cases, attackers could potentially even tamper with Acronis processes by injecting data or malicious code into these writable folders.

Vulnerable versions: All releases before build 40107.

If you haven’t updated your Acronis software since November 2022, you may still be at risk.

How Do Folder Permissions Work?

On Windows, every file and folder has permissions specifying who can read, write, or execute them. Sensitive folders should only allow trusted users (e.g., Administrators or Users running Acronis with proper privileges) to access them.

The problem arises when these folders are created with Everyone: Full Control or similar broad access. Any user on the PC – including a malicious user or process – could then:

Read sensitive config and log files (potentially exposing credentials or backup paths)

- Write/replace files (possibly leading to malfunctions or further attacks)

Vulnerable Folders

Through analysis, security researchers found that certain Acronis folders–such as those storing logs, configuration, or program state–were installed with insecure permissions.

For example, imagine the folder

C:\ProgramData\Acronis\TrueImageHome\Logs\

Proof-of-Concept: Check Folder Permissions (PowerShell Example)

Let’s see how a simple PowerShell script can show you if your system is vulnerable. Open PowerShell (as any standard user):

# Check folder permissions for sensitive Acronis directories
$acronisDir = "C:\ProgramData\Acronis"
Get-Acl $acronisDir | Format-List

Look for entries like this

Path   : C:\ProgramData\Acronis
Access : BUILTIN\Administrators Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         Everyone Allow  FullControl

Exploit Scenario

Let’s imagine a multi-user Windows machine with Acronis installed and outdated. Here’s how an attacker with standard user rights could exploit the issue:

Analyze the files for sensitive info

- Backup source/destination paths

Domain names and computer names

- Possibly backup credentials (if logs/configs include them)

Potential attack vectors for lateral movement

Somemore sophisticated attacks could involve DLL hijacking or process injection if writable folders are located inside Program Files, though that is not the central focus of this CVE.

Mitigations

1. Update Acronis Immediately
The best solution is to update Acronis Cyber Protect Home Office to build 40107 or later, where folder permissions have been corrected.
- Acronis official downloads page

2. Audit and Fix Folder Permissions Manually
If updating is not immediately possible, you can fix permissions yourself.

Example (run as Administrator)

# Remove 'Everyone' from Acronis log dir
$path = "C:\ProgramData\Acronis"
icacls $path /remove "Everyone"
icacls $path /grant "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F"

Repeat for all relevant Acronis folders.

References

- CVE-2022-44746 on NIST NVD
- Acronis Security Advisories
- Original bug report/announcement (if available)

Final Thoughts

CVE-2022-44746 is a good example of why even non-networked, local vulnerabilities matter–especially with data protection software. Insecure permission settings can turn your backup solution into an unexpected security risk. Keep your software updated, and audit folder permissions regularly to prevent future incidents.

Timeline

Published on: 11/07/2022 20:15:00 UTC
Last modified on: 11/08/2022 19:24:00 UTC