in that case you can mark it as a false positive. Web application scanners look for some keywords in request/response to figure out if the website is vulnerable to CSRF or not. Typically it is CSRF hidden field, CSRF request header or CSRF cookie. If nothing is found the scanner marks it as CSRF vulnerable. Since we use ViewState as a CSRF protection, Acunetix is not able to verify if the website is vulnerable or not.
This false positive reported by Acunetix should be removed in Kentico 9.