Acronis Backup Plugins Hit by CVE-2024-8767: CVSS 9.9 Severity Alert
In a recent advisory published on September 16th, data protection powerhouse Acronis disclosed a critical security vulnerability in its popular backup plugins for server management platforms like cPanel, Plesk, and DirectAdmin. The vulnerability, identified as CVE-2024-8767, poses a serious risk to users, with a severity score of 9.9 on the Common Vulnerability Scoring System (CVSSv3.0)—classifying it as Critical.
The vulnerability affects the Linux-based Acronis Backup plugin for cPanel & WHM, Plesk, and DirectAdmin, which are widely used by administrators to automate server and website backups. Acronis revealed that the flaw stems from permission settings within the plugins, which could lead to the leakage of sensitive information and allow unauthorized operations on affected servers. This means that without proper updates, servers running these plugins could be at risk of severe data breaches or manipulation.
Although Acronis issued patches for the CVE-2024-8767 flaw over a year ago—DirectAdmin version 1.2.0 in May 2023, and cPanel & WHM version 1.8.0 and Plesk version 1.8.0 in June 2023—the company’s latest advisory signals concern that many systems remain unpatched. Unprotected installations could be prime targets for attackers, particularly given the high-impact nature of the vulnerability.
In July 2024, Acronis issued a critical security alert urging customers to address a vulnerability in their Cyber Infrastructure product. This flaw, tracked as CVE-2023-45249, enables attackers to bypass authentication using default credentials and gain remote code execution on unpatched servers. The company confirmed active exploitation of this vulnerability and emphasized the urgent need for administrators to apply the necessary patches.
