Description
AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of AOMEI Cyber Backup. Authentication is not required to exploit this vulnerability. The specific flaw exists within the StorageNode service, which listens on TCP port 9075 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-26156.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-25389
1. Vulnerability Assessment and Severity Evaluation
The vulnerability identified as EUVD-2025-25389 pertains to AOMEI Cyber Backup, specifically within the StorageNode service. This service listens on TCP port 9075 and lacks proper authentication mechanisms, allowing remote attackers to execute arbitrary code. The severity of this vulnerability is rated with a CVSS Base Score of 9.8, which is considered critical. The CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates the following:
- Attack Vector (AV): Network (N) - The vulnerability is exploitable over the network.
- Attack Complexity (AC): Low (L) - The attack requires minimal complexity.
- Privileges Required (PR): None (N) - No privileges are required to exploit the vulnerability.
- User Interaction (UI): None (N) - No user interaction is required.
- Scope (S): Unchanged (U) - The vulnerability does not change the security scope.
- Confidentiality (C): High (H) - The vulnerability has a high impact on confidentiality.
- Integrity (I): High (H) - The vulnerability has a high impact on integrity.
- Availability (A): High (H) - The vulnerability has a high impact on availability.
Given these factors, the vulnerability poses a significant risk to organizations using AOMEI Cyber Backup.
2. Potential Attack Vectors and Exploitation Methods
The primary attack vector is through the network, specifically targeting the StorageNode service on TCP port 9075. Potential exploitation methods include:
- Remote Code Execution (RCE): An attacker can send crafted packets to the StorageNode service, exploiting the lack of authentication to execute arbitrary code.
- Denial of Service (DoS): By sending malformed packets, an attacker could potentially crash the service, leading to a denial of service.
- Data Exfiltration: Given the high impact on confidentiality, an attacker could exfiltrate sensitive data from the affected system.
3. Affected Systems and Software Versions
The vulnerability affects AOMEI Cyber Backup version 3.7.0. It is crucial to note that other versions might also be affected if they share the same codebase for the StorageNode service. Organizations should verify the version of their AOMEI Cyber Backup installation and apply the necessary patches.
4. Recommended Mitigation Strategies
To mitigate the risk associated with this vulnerability, the following strategies are recommended:
- Patch Management: Ensure that the latest patches and updates from AOMEI are applied. AOMEI should release a security update addressing this vulnerability.
- Network Segmentation: Isolate the StorageNode service from untrusted networks to limit exposure.
- Firewall Rules: Implement strict firewall rules to restrict access to TCP port 9075.
- Intrusion Detection Systems (IDS): Deploy IDS to monitor for suspicious activity targeting the StorageNode service.
- Authentication Mechanisms: If possible, implement additional authentication mechanisms to protect critical functions.
5. Impact on European Cybersecurity Landscape
The impact of this vulnerability on the European cybersecurity landscape is significant. Organizations relying on AOMEI Cyber Backup for data protection and backup services are at risk of data breaches, service disruptions, and potential compliance violations under regulations such as GDPR. The critical nature of the vulnerability underscores the need for robust cybersecurity practices and timely patch management.
6. Technical Details for Security Professionals
- Vulnerability Identification: The vulnerability is identified as CVE-2025-8610 and was reported by the Zero Day Initiative (ZDI).
- Service Details: The StorageNode service listens on TCP port 9075 and is responsible for handling backup and storage operations.
- Exploitation Details: The lack of authentication allows attackers to send crafted packets to the service, leading to remote code execution.
- Detection: Security professionals should monitor network traffic for unusual activity on TCP port 9075 and look for signs of unauthorized access or code execution.
- Response: In case of an incident, isolate the affected system, apply the necessary patches, and conduct a thorough investigation to determine the extent of the compromise.
Conclusion
The EUVD-2025-25389 vulnerability in AOMEI Cyber Backup poses a critical risk to organizations. Immediate action is required to mitigate the risk, including applying patches, implementing network controls, and enhancing monitoring capabilities. The European cybersecurity community should remain vigilant and proactive in addressing such vulnerabilities to protect against potential attacks.