Paramount Macrium Reflect Arbitrary Code Execution Vulnerability via Crafted Backup Files

A vulnerability in Paramount Macrium Reflect, affecting versions through 2025-06-26, allows attackers to execute arbitrary code with administrator privileges. This is achieved by placing a malicious .mrimgx or .mrbax backup file in the same directory as a renamed executable, such as explorer.exe, which is then executed when the backup file is mounted. The issue arises from inadequate validation of companion files during the backup mounting process.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of code with administrative rights, potentially allowing for significant system modifications or the introduction of malicious software.

Remediation

Users are advised to update to Macrium Reflect version 8.1.8595, Macrium Reflect LTSC 2024 version 8.1.8620, or Macrium Reflect X version 10.0.8576. For those using Macrium Site Manager 8.1, the patched version is 8.1.8602. Instructions for updating can be found in the release notes for each version.