Acronis has released an advisory for a critical security vulnerability in its popular backup plugins for server management platforms like cPanel, Plesk, and DirectAdmin.
The vulnerability, tracked as CVE-2024-8767 with a CVSS score of 9.9 affects the Linux-based Acronis Backup plugin for cPanel & WHM, Plesk, and DirectAdmin. The flaw stems from permission settings within the plugins, which could lead to the leakage of sensitive information and allow unauthorized operations on affected servers. This means that without proper updates, servers running these plugins could be at risk of severe data breaches or manipulation.
Although Acronis issued patches for the CVE-2024-8767 flaw over a year ago—DirectAdmin version 1.2.0 in May 2023, and cPanel & WHM version 1.8.0 and Plesk version 1.8.0 in June 2023—the company’s latest advisory signals concern that many systems remain unpatched.
Acronis does not disclose any information regarding security issues until patches or releases are generally available to protect its customers. Also, Acronis said it didn’t aware of any exploitation in the wild.
Customers are recommended to upgrade their applications as soon as possible following the advisory.
