---
Introduction
A serious security vulnerability, CVE-2023-48680, has been discovered in Acronis Cyber Protect 16 (Builds prior to 37391) for macOS and Windows. This flaw allows unauthorized disclosure of sensitive system information due to excessive data collection and improper protections. In this post, we’ll break down what happened, how attackers can exploit it, provide code snippets, and show you where to get patch information.
What Is CVE-2023-48680?
CVE-2023-48680 is a Sensitive Information Disclosure vulnerability. Acronis Cyber Protect 16, a popular backup and cyber protection software, was found to collect and expose more system information than necessary during operations. In certain scenarios, attackers can remotely access this data, giving them knowledge about your network, users, and environment.
How Does The Flaw Work?
When endpoints running Acronis Cyber Protect 16 connect to the management server or cloud, their agent sends detailed system information. Unfortunately, due to insufficient filtering and over-broad data collection, this includes sensitive details like:
Who Can Exploit It?
If an attacker can intercept or monitor the communication between the endpoint and Acronis management server—say, by being on the same network or leveraging MITM techniques—they can review the HTTP POST payloads and grab this information, even if they're not authenticated.
Proof-of-Concept (PoC) Code
Here’s a simplified example using Python and mitmproxy to catch leaked data. Do not use maliciously, for educational and defensive testing only!
from mitmproxy import http
def response(flow: http.HTTPFlow) -> None:
if "acronis.com" in flow.request.pretty_host and flow.request.method == "POST":
if b"system_information" in flow.request.content:
print("[!] Found sensitive system information leak!")
print(flow.request.content.decode('utf-8', errors='ignore'))
1. Set up Mitmproxy.
Run the above snippet as a custom addon.
3. Watch for outgoing POST requests from Acronis endpoints; review payload for names, device info, network details.
Note: In the wild, attacks could be more sophisticated—using traffic sniffing, endpoint malware, or phishing to get at these POST bodies.
Develop tailored attacks for exposed endpoints.
This does not directly leak passwords or backup data, but the "footprint" it provides can lead to deeper compromises.
References
- Acronis Security Advisory *(official patch notice)*
- CVE Record: CVE-2023-48680
- Mitmproxy Traffic Sniffing Guide
Solution & Remediation
Acronis has fixed the vulnerability in build 37391 and above.
Update immediately if you’re running an earlier build.
Download the latest installer from your Acronis portal.
2. Follow Acronis patch instructions.
Enable communications over VPN.
- Monitor network traffic for strange/copycat POST requests.
Conclusion
CVE-2023-48680 shows that even defensive tools like endpoint security and backup can leak details if not careful about what they collect or share. Keeping your security tools up to date is essential—not just your operating system. If you use Acronis Cyber Protect, patch now and review your internal network posture!
For any questions or help defending against similar issues, feel free to reach out.
*This post is for defensive awareness only. Always get proper authorization before testing or monitoring network traffic.*
Timeline
Published on: 02/27/2024 17:15:10 UTC
Last modified on: 02/28/2024 14:07:00 UTC