CVE-2023-45249 Acronis CVE debrief

Who should care

Administrators, security teams, and asset owners responsible for Acronis Cyber Infrastructure (ACI) deployments should prioritize this issue, especially if the environment may still rely on default or undocumented credentials.

Technical summary

The vulnerability class is described as an insecure default password issue in Acronis Cyber Infrastructure (ACI). In practical defensive terms, this means the product may present unacceptable risk if default credentials remain in place or are otherwise not remediated. The only remediation guidance supplied in the corpus is to follow vendor mitigation instructions or stop using the product if no mitigation is available.

Defensive priority

High

Recommended defensive actions

• Review all Acronis Cyber Infrastructure (ACI) deployments for any default or unchanged credentials.
• Apply mitigations exactly as provided in Acronis' advisory SEC-6452.
• If vendor mitigations are unavailable or cannot be applied promptly, discontinue use of the product as directed by CISA.
• Confirm exposure status in asset inventories and prioritize any internet-facing or privileged management instances.
• Track the CISA KEV due date of 2024-08-19 as the remediation deadline for this issue.

Evidence notes

This debrief is limited to the supplied corpus: the CVE title/description, the CISA KEV entry metadata, and the official resource links. The corpus identifies the issue as an insecure default password vulnerability, lists Acronis Cyber Infrastructure (ACI) as the affected product, and marks the CVE as a KEV entry added on 2024-07-29 with a due date of 2024-08-19. No CVSS score or version-specific impact details were supplied.

Official resources