What is Acronis Cyber Infrastructure (ACI)?
Acronis Cyber Infrastructure (ACI) is a software-defined infrastructure platform providing integrated storage, networking, and compute services for managed service providers (MSPs) and enterprise data centers. ACI runs as a hyperconverged infrastructure stack on physical servers, providing object storage, block storage, and backup services that underpin Acronis' cloud backup and disaster recovery offerings. ACI instances are typically managed by service providers who offer backup and storage services to multiple end-customer organizations. A compromised ACI server provides access to backup data for all customers served by that ACI deployment — including potentially all backed-up files, databases, and VM images for the MSP's entire customer base.
Overview
CVE-2023-45249 is a critical insecure default password vulnerability in Acronis Cyber Infrastructure: the ACI platform ships with a default password for its self-service web portal that, if left unchanged, allows any unauthenticated remote user to authenticate and execute arbitrary commands on the ACI server. Acronis patched the vulnerability in October 2023 but did not publicly disclose it until July 2024, when the CVE was published alongside confirmation of active exploitation in the wild. CISA added it to KEV five days after publication.
Affected Versions
| Product | Fixed Version |
|---|---|
| Acronis Cyber Infrastructure | 5.0 build 5.0.1-61, 5.1 build 5.1.1-71, 5.2 build 5.2.1-69, 5.3 build 5.3.1-53, 5.4 build 5.4.4-132 |
Technical Details
CWE-1393 (Use of Default Password). ACI's self-service portal — a web-based interface accessible on the ACI management network — is configured with a default password during initial installation. Operators who do not change this default password leave the portal fully accessible to any attacker who can reach it. Through the portal, an authenticated attacker can execute commands on the underlying ACI server infrastructure, accessing the full capabilities of the ACI management plane including object storage contents, backup data, and infrastructure configuration.
The vulnerability's severity reflects both the criticality of ACI's role (backup infrastructure holding complete data copies for MSP customers) and the unauthenticated exploitation vector (default password requires no credential theft — only knowledge of the documented default). Default passwords on infrastructure management interfaces are a persistent issue in enterprise environments where initial deployments often leave default credentials in place for convenience.
Discovery
Confirmed as actively exploited by Acronis when they disclosed the CVE in July 2024, nearly 10 months after the patch was released in October 2023. The delayed disclosure — patching quietly in October 2023 and formally disclosing in July 2024 — reflects a common but problematic practice of silent patching without public vulnerability notification. The active exploitation confirmation at publication time indicates that attackers discovered the vulnerability independently and exploited unpatched ACI instances.
Exploitation Context
Acronis ACI is used by managed service providers as the storage and backup backend for their customers. Compromise of an MSP's ACI server provides access to backup data for potentially hundreds of client organizations — making this a high-leverage supply chain attack vector. Threat actors targeting MSPs (a technique used by Kaseya/REvil ransomware in 2021 and others) recognize that compromising a single MSP infrastructure platform provides simultaneous access to multiple downstream victims. ACI instances exposed on publicly accessible networks with default credentials are trivially exploitable for any actor with basic scanning tools.
Remediation
- Apply Acronis ACI patches to the fixed versions listed above — update all ACI nodes in the cluster.
- Change the default password on the ACI self-service portal immediately — even on patched versions, the default password should be replaced with a strong, unique credential.
- Restrict ACI management interface access to trusted management networks — ACI's management portal should never be internet-accessible.
- Conduct a security audit of all ACI instances for evidence of unauthorized access: review portal authentication logs, check for unexpected admin actions, and audit backup data for unauthorized access or exfiltration.
- If default credentials were in use and the ACI instance was internet-accessible, treat all backup data stored on that instance as potentially compromised — notify affected customers and initiate incident response.
- Review all default credentials across other Acronis infrastructure components and MSP management platforms as part of broader credential hygiene.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-45249 |
| Vendor / Product | Acronis — Cyber Infrastructure (ACI) |
| NVD Published | 2024-07-24 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-1393 find similar ↗ |
| CISA KEV Added | 2024-07-29 |
| CISA KEV Deadline | 2024-08-19 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-10-04 | Acronis releases ACI build 5.4.4-132 patching CVE-2023-45249 |
| 2024-07-24 | CVE-2023-45249 published — Acronis confirms active exploitation in the wild |
| 2024-07-29 | CISA adds to Known Exploited Vulnerabilities catalog |
| 2024-08-19 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Acronis Security Advisory SEC-6452 — CVE-2023-45249 | Vendor Advisory |
| NVD — CVE-2023-45249 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |