CVE-2025-13051
BaseFortify
Publication date: 2025-11-19
Last updated on: 2025-11-19
Assigner: ASUSTOR, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| asustor | abp | 2.0 |
| asustor | aes | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when the ABP and AES services are installed in directories writable by non-administrative users. An attacker can exploit this by replacing or planting a malicious DLL with the same name as one loaded by the service. When the service restarts, it loads and executes the malicious DLL under the LocalSystem account, allowing unauthorized code execution with elevated privileges.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized code execution with elevated privileges on the affected system. This means an attacker could gain control over the system with LocalSystem level access, potentially leading to full system compromise, data theft, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the installation directory of the ABP and AES services is not writable by non-administrative users. Restrict permissions on the directory so that only administrators can modify its contents, preventing attackers from replacing or planting malicious DLLs. Additionally, restart the service after applying these permission changes to avoid loading malicious DLLs.