Paramount Macrium Reflect Arbitrary Code Execution Vulnerability via Crafted Backup Files

A vulnerability in Paramount Macrium Reflect, affecting versions through 2025-06-26, allows local attackers to execute arbitrary code with administrator privileges. This is achieved by placing a malicious VSSSvr.dll file in the same directory as a crafted .mrimgx backup file. When a user with administrative rights mounts the backup, Macrium Reflect loads the malicious DLL due to untrusted DLL search path behavior in ReflectMonitor.exe.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of code with elevated privileges, potentially allowing for significant system compromise.

Reproduction

To reproduce this vulnerability, create a .mrimgx backup file and place it in a directory. Then, add a malicious VSSSvr.dll file in the same directory. When a user with administrative privileges mounts the backup file, the Macrium Reflect application will load the malicious DLL, executing any embedded code with administrator rights.

Remediation

Users are advised to update to Macrium Reflect versions 8.1.8595, 8.1.8620, or 10.0.8576, all of which include the necessary security patch. For those using Macrium Site Manager, version 8.1.8602 is available for the same patch.