CVE-2020-10138
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-10138
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis Cyber Backup and Cyber Protect contain a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
访问控制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Acronis Cyber Backup 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Acronis Cyber Backup是新加坡安克诺斯(Acronis)的一款数据备份产品。可以对虚拟机和主机进行备份,支持windows、linux的备份,使用AcronisInstantRestore提供极快的恢复性能,并且支持灵活的存储方案,极大保障企业的数据安全。 Acronis Cyber Backup 12.5版本和Cyber Protect 15版本存在访问控制错误漏洞,该漏洞源于包含一个OpenSSL组件,该组件指定OPENSSLDIR变量作为C:jenkins_agent中的子目录。A
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Acronis | Cyber Backup | 12.5 ~ 16363 | - | |
| Acronis | Cyber Protect | 15 ~ 24600 | - |
II. Public POCs for CVE-2020-10138
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2020-10138
Please Login to view more intelligence information
- https://www.kb.cert.org/vuls/id/114757x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2020-10138
Same Patch Batch · Acronis · 2020-10-21 · 3 CVEs total
| CVE-2020-10139 | 7.8 HIGH | Acronis Cyber Backup 访问控制错误漏洞 |
| CVE-2020-10140 | 7.8 HIGH | Acronis True Image 访问控制错误漏洞 |
IV. Related Vulnerabilities
Same weakness: CWE-284
- CVE-2026-8233
Dotouch XproUPF access control - CVE-2026-42569
phpvms: /importer authorization bypass causing full database - CVE-2026-42205
Avo: Broken Access Control: Unauthorized Execution of Arbitr - CVE-2026-41487
Langfuse: Improper role-based-access control in Langfuse LLM - CVE-2026-42278
UltraDAG: Smart Account Spending Policy Bypass via Pockets
V. Comments for CVE-2020-10138
No comments yet