Executive Summary

CVE-2026-12780 is a local privilege escalation vulnerability found in AOMEI Backupper version 8.3.0. It exists in the kernel driver component amwrtdrv.sys, which exposes a raw disk forwarding interface that allows standard, non-administrative users to send read and write requests directly to disk devices.

This interface bypasses the normal Windows access controls that restrict disk operations, enabling low-privileged users to read or modify protected files by accessing their underlying disk data clusters. The vulnerability occurs because the driver does not enforce proper access checks before processing these requests.

In essence, a local attacker can exploit this flaw to perform privileged disk operations that should normally require administrative rights.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized disclosure or tampering of protected files on the system.

An attacker with local access can escalate their privileges by modifying critical system or security-sensitive files, potentially gaining administrative control or disrupting system integrity.

Such unauthorized access and modification can lead to data breaches, system compromise, and loss of trust in the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence and accessibility of the kernel driver amwrtdrv.sys, which exposes a raw disk forwarding interface at \\.\amwrtdrv\Partition0\DISK<N>. If standard, non-administrative users can send read and write requests to this interface, the system is vulnerable.

To detect this on your system, you can verify if the device object \Device\amwrtdrv or the symbolic link \\.\amwrtdrv exists and check its access control lists (ACLs) to see if non-administrative users have access.

Suggested commands include using Windows tools like:

• PowerShell command to check device ACLs: Get-Acl -Path \\.\amwrtdrv\Partition0\DISK0
• Using Sysinternals' AccessChk tool to verify permissions: accesschk.exe -d amwrtdrv
• Checking loaded drivers with: driverquery | findstr amwrtdrv.sys

If non-administrative users can access or send I/O requests to this driver interface, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable driver interface to prevent standard users from sending read and write requests.

• Modify the device object's access control list (ACL) to deny or limit access to non-administrative users.
• Set the FILE_DEVICE_SECURE_OPEN flag on the device object to enforce security checks on open requests.
• Require administrative privilege checks before processing any requests to the driver.
• Avoid forwarding user-controlled I/O operations directly in kernel mode; instead, broker such operations through a privileged service that validates authorization.

If possible, update or patch the software once the vendor releases a fix, although the vendor has not responded to this disclosure.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows low-privileged local users to bypass access controls and read or modify protected files by exploiting a kernel driver in AOMEI Backupper. Such unauthorized access and potential tampering with sensitive or protected data could lead to violations of data protection requirements mandated by standards like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Specifically, the ability to escalate privileges and manipulate critical system or security-sensitive files increases the risk of data breaches or unauthorized data disclosure, which are key compliance concerns under these regulations.

Useful 0 Not Useful 0