Critical Flaw (CVE-2025-8070) in ASUSTOR Backup & EZSync Allows Local SYSTEM Privilege Escalation
Ddos 
A newly disclosed vulnerability in ASUSTOR’s Windows-based applications—ASUSTOR Backup Plan (ABP) and ASUSTOR EZSync (AES)—could allow local attackers to escalate privileges to SYSTEM, the highest level of access in Windows environments. Tracked as CVE-2025-8070 with a CVSS v4 score of 9.2 (Critical), this vulnerability highlights the ongoing risk of unquoted service paths, a well-known yet still frequently exploited Windows misconfiguration.
At the core of this vulnerability is the misconfigured ImagePath registry value used to define how the Windows service launches the application. When the path to the service executable includes spaces and is not enclosed in quotation marks, the Windows service manager may misinterpret where the executable begins and ends. This can be abused by placing a malicious executable at a higher-priority path segment—such as C:\Program.exe—which the system might inadvertently execute instead of the intended binary.
“This allows a local attacker to execute arbitrary code by placing a malicious executable in a predictable location such as ‘C:\Program.exe,’” the advisory explains. “If the service runs with elevated privileges, exploitation results in privilege escalation to SYSTEM level.”
The affected applications include:
- ABP (ASUSTOR Backup Plan) version 2.0.7.6130 and earlier
- AES (ASUSTOR EZSync) version 1.0.6.6133 and earlier
ASUSTOR has acknowledged the issue and released patched versions of both products:
- ABP 2.0.7.6131
- AES 1.0.6.6134
Users running vulnerable versions are strongly advised to upgrade immediately to prevent potential exploitation. While this is a local vulnerability—meaning the attacker must already have access to the system—it poses a severe risk in environments where privilege escalation could allow lateral movement, persistence, or disabling of endpoint defenses.
Related Posts:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
