Primary

Context

Cobian Backup Unquoted Service Path Vulnerability Allowing Arbitrary Code Execution

Vulnerability

An unquoted service path vulnerability has been identified in Cobian Backup version 0.9.93. This vulnerability allows local users to execute arbitrary code with elevated privileges. The issue arises from the unquoted binary path of the CobianReflectorService, which can be exploited to inject malicious code that executes with LocalSystem permissions when the service starts.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of code with elevated system privileges, allowing local users to perform actions with the rights of the LocalSystem account.

Reproduction

To reproduce this vulnerability, a local user must be able to place their code in the system root path without detection by the operating system or security applications. Once the code is in place, it can be executed during the startup of Cobian Backup's service, CobianReflectorService, which runs under the LocalSystem account.

Added: Jan 14, 2026, 12:14 AM

Updated: Jan 14, 2026, 12:14 AM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

10.0

exploitability

4.2

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

10.0

exploitability

4.2

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Cobian Backup Unquoted Service Path Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Reproduction

Affected Products

Cobian Backup

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating