CVE-2025-8610
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-08-20
Last updated on: 2025-08-25
Assigner: Zero Day Initiative
Description
Description
AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of AOMEI Cyber Backup. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the StorageNode service, which listens on TCP port 9075 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-26156.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aomei | cyber_backup | 3.7.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in AOMEI Cyber Backup's StorageNode service, which listens on TCP port 9075. It allows remote attackers to execute arbitrary code without any authentication, meaning they can run code with SYSTEM-level privileges on affected installations.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary code remotely with SYSTEM privileges, potentially leading to full system compromise, data loss, unauthorized access, and disruption of services.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70