Primary

Context

ASUSTOR ABP and AES Unquoted ImagePath Vulnerability in Windows Service Configuration Allowing Privilege Escalation

Vulnerability

A vulnerability exists in the Windows service configuration of ASUSTOR Backup Plan (ABP) versions through 2.0.7.6130 and ASUSTOR EZSync (AES) versions through 1.0.6.6133. The vulnerability stems from an unquoted ImagePath registry value, which allows local attackers to execute arbitrary code by placing a malicious executable in a predictable location, such as 'C:\Program.exe'. If the service is running with elevated privileges, this exploitation could lead to privilege escalation to SYSTEM level.

Impact

Exploitation of this vulnerability allows for arbitrary code execution, with potential privilege escalation to SYSTEM level, if the service is running with elevated privileges.

Remediation

Users can upgrade to ASUSTOR Backup Plan version 2.0.7.6131 or above, or ASUSTOR EZSync version 1.0.6.6134 or above.

Added: Jul 23, 2025, 8:16 AM

Updated: Jul 23, 2025, 8:16 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

3.3

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

3.3

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ASUSTOR ABP and AES Unquoted ImagePath Vulnerability in Windows Service Configuration Allowing Privilege Escalation

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating