Overview
A critical vulnerability, identified as CVE-2025-13051, has been discovered in ASUSTOR Backup Plan (ABP) and ASUSTOR EZ Sync (AES). This vulnerability allows a local attacker to escalate privileges to LocalSystem, potentially leading to complete system compromise. The vulnerability stems from insecure file permissions on the installation directory, allowing non-administrative users to plant malicious DLL files.
Technical Details
CVE-2025-13051 arises when the ABP and AES services are installed in a directory where non-administrative users have write access. An attacker can exploit this by placing a malicious Dynamic Link Library (DLL) file with the same name as one that the service loads upon startup. When the ABP or AES service is restarted, the operating system will load and execute the attacker’s DLL file under the LocalSystem account. This gives the attacker complete control over the system.
Affected Products and Versions:
- ASUSTOR Backup Plan (ABP): Versions 2.0 through 2.0.7.9050
- ASUSTOR EZ Sync (AES): Versions 1.0 through 1.0.6.8290
CVSS Analysis
Due to the potential for complete system compromise, this vulnerability is considered high risk. While the CVSS score is currently N/A, it is expected to be a high score (above 7.0) when calculated, due to the privilege escalation to LocalSystem. Factors contributing to this severity include:
- Attack Vector: Local (requires local access to the system)
- Attack Complexity: Low (relatively easy to exploit once local access is obtained)
- Privileges Required: Low (requires only the ability to write to the installation directory)
- User Interaction: None (no user interaction required after DLL planting)
- Scope: Changed (privilege escalation from user to system)
- Confidentiality Impact: High (attacker can access all system data)
- Integrity Impact: High (attacker can modify system data and processes)
- Availability Impact: High (attacker can cause a denial-of-service condition)
Possible Impact
Successful exploitation of CVE-2025-13051 can have severe consequences, including:
- Complete System Compromise: The attacker gains full control over the affected system.
- Data Theft: Sensitive data can be accessed and exfiltrated.
- Malware Installation: The attacker can install malware, including ransomware, keyloggers, and backdoors.
- Lateral Movement: If the compromised system is part of a network, the attacker may be able to use it to gain access to other systems.
- Denial of Service: The attacker can disable critical system functions.
Mitigation and Patch Steps
ASUSTOR has released a security advisory and likely provided updated versions of ABP and AES to address this vulnerability. Users of affected versions are strongly advised to take the following steps:
- Update ABP and AES: Upgrade to the latest versions of ASUSTOR Backup Plan and ASUSTOR EZ Sync as soon as possible. These updated versions contain the necessary fixes to prevent exploitation of CVE-2025-13051.
- Verify File Permissions: Ensure that the installation directories for ABP and AES are not writable by non-administrative users. Adjust file permissions as needed.
- Implement Principle of Least Privilege: Limit user access to only the resources and privileges necessary for their tasks.
- Monitor System Activity: Monitor your system for suspicious activity, such as unexpected process creation, file modifications, or network connections.
