A essential safety vulnerability has been found in ASUSTOR backup and synchronization software program, permitting attackers to execute malicious code with elevated system privileges.
The flaw, tracked as CVE-2025-13051, impacts two extensively used ASUSTOR functions and poses a big danger to customers operating outdated variations.
The DLL Hijacking Vulnerability
The vulnerability stems from a DLL hijacking weak spot that happens when ASUSTOR Backup Plan (ABP) and ASUSTOR EZSync (AES) providers are put in in directories accessible to non-administrative customers.
Attackers can exploit this flaw by changing professional dynamic hyperlink library (DLL) recordsdata with malicious variations that share the identical filename as these loaded by the service.
When the affected service restarts, the malicious DLL is routinely loaded and executed.
FieldDetailsCVE IDCVE-2025-13051SeverityCriticalCVSS 4.0 Score9.3Attack VectorLocalAffected ProductsABP ≤2.0.7.9050, AES ≤1.0.6.8290
Beneath the LocalSystem account, granting attackers unauthorized code execution with the very best stage of system privileges.
Such a assault can result in full system compromise, permitting risk actors to put in malware, steal delicate information, or set up fixed backdoor entry.
The bug impacts ABP model 2.0.7.9050 and all older variations, and AES model 1.0.6.8290 and all earlier releases.
ASUSTOR has launched safety patches to deal with this essential flaw. Customers ought to instantly improve to ABP model 2.0.7.10171 or greater, and to AES model 1.1.0.10312 or greater, to guard their methods from potential exploitation.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
