A critical security vulnerability has been discovered in ASUSTOR backup and synchronization software, allowing attackers to execute malicious code with elevated system privileges.
The flaw, tracked as CVE-2025-13051, affects two widely used ASUSTOR applications and poses a significant risk to users running outdated versions.
The DLL Hijacking Vulnerability
The vulnerability stems from a DLL hijacking weakness that occurs when ASUSTOR Backup Plan (ABP) and ASUSTOR EZSync (AES) services are installed in directories accessible to non-administrative users.
Attackers can exploit this flaw by replacing legitimate dynamic link library (DLL) files with malicious versions that share the same filename as those loaded by the service.
When the affected service restarts, the malicious DLL is automatically loaded and executed.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-13051 |
| Severity | Critical |
| CVSS 4.0 Score | 9.3 |
| Attack Vector | Local |
| Affected Products | ABP ≤2.0.7.9050, AES ≤1.0.6.8290 |
Under the LocalSystem account, granting attackers unauthorized code execution with the highest level of system privileges.
This type of attack can lead to complete system compromise, allowing threat actors to install malware, steal sensitive data, or establish constant backdoor access.
The bug affects ABP version 2.0.7.9050 and all older versions, and AES version 1.0.6.8290 and all earlier releases.
ASUSTOR has released security patches to address this critical flaw. Users should immediately upgrade to ABP version 2.0.7.10171 or higher, and to AES version 1.1.0.10312 or higher, to protect their systems from potential exploitation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
