CVE-2019-25608
Privilege Escalation in Iperius Backup via Malicious Backup Jobs
Publication date: 2026-03-22
Last updated on: 2026-03-22
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iperus | iperius_backup | 6.1.0 |
| iperus | backup | 6.1.0 |
| iperus | backup | to 6.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-520 | Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25608 is a privilege escalation vulnerability in Iperius Backup version 6.1.0 that allows low-privilege users to execute arbitrary programs with elevated privileges.
The vulnerability arises because low-privilege users can create backup jobs that specify programs or batch files to run before or after backup operations. These programs run with the privileges of the Iperius Backup Service account, which operates under Local System or Administrator privileges.
An attacker with local low-privilege access can exploit this by creating a malicious backup job that runs a harmful program, such as a batch file launching a reverse shell, thereby gaining elevated code execution rights.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with low-level local access to escalate their privileges to Local System or Administrator level on the affected machine.'}, {'type': 'paragraph', 'content': 'By exploiting this flaw, attackers can execute arbitrary code with elevated privileges, potentially gaining full control over the system, accessing sensitive data, installing malware, or disrupting system operations.'}, {'type': 'paragraph', 'content': "The exploit can lead to a complete compromise of the affected system's confidentiality, integrity, and availability."}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if low-privilege users have the ability to create or modify backup jobs in Iperius Backup 6.1.0, which run with elevated privileges.'}, {'type': 'paragraph', 'content': 'One way to detect potential exploitation is to look for backup jobs configured to execute programs or batch files before or after backup operations.'}, {'type': 'paragraph', 'content': "Suggested commands include inspecting the permissions on the folder c:\\ProgramData\\IperiusBackup to see if the 'Everyone' group has write permissions, which would allow unauthorized users to create or modify backup jobs."}, {'type': 'list_item', 'content': 'On Windows, use the command: icacls "c:\\ProgramData\\IperiusBackup"'}, {'type': 'list_item', 'content': 'Check for suspicious backup job configurations or batch files that may be set to run before or after backup operations.'}, {'type': 'list_item', 'content': 'Look for unexpected or unauthorized batch files or executables in the backup job definitions.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "To mitigate this vulnerability, immediately remove the 'Everyone' permission from the folder c:\\ProgramData\\IperiusBackup to restrict unauthorized users from creating or modifying backup jobs."}, {'type': 'paragraph', 'content': 'This prevents low-privilege users from exploiting the backup job feature to execute arbitrary code with elevated privileges.'}, {'type': 'paragraph', 'content': 'Additionally, review and restrict permissions on the Iperius Backup service and related files to ensure only trusted administrators have access.'}, {'type': 'paragraph', 'content': 'Consider monitoring backup job configurations for any unauthorized changes or suspicious entries.'}] [1]