We use cookies to help us improve our webpage. Please read our Cookie Policy .

ASUSTOR Product Security Advisory

AS-2025-009: ABP and AES

2025-11-19

Severity

Important

Status

Resolved

Statement

When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name as one loaded by the service. Upon service restart, the malicious DLL is loaded and executed under the LocalSystem account, resulting in unauthorized code execution with elevated privileges.
Affected products and versions include: ABP (ASUSTOR Backup Plan) 2.0.7.9050 and earlier as well as AES (ASUSTOR EZSync) 1.0.6.8290 and earlier.

  • The issue has been fixed on ABP (ASUSTOR Backup Plan) 2.0.7.10171 and AES (ASUSTOR EZSync) 1.1.0.10312.

Affected Products

Product Severity Fixed Release Availability
ABP (ASUSTOR Backup Plan) Important Upgrade to ABP 2.0.7.10171 or above.
AES (ASUSTOR EZSync) Important Upgrade to AES 1.1.0.10312 or above.

Detail

  • CVE-2025-13051
    • Severity: Critical
    • CVSS4 Base Score: 9.3
    • CVSS4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
    • When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name as one loaded by the service. Upon service restart, the malicious DLL is loaded and executed under the LocalSystem account, resulting in unauthorized code execution with elevated privileges. Affected products and versions include: ABP (ASUSTOR Backup Plan) 2.0.7.9050 and earlier as well as AES (ASUSTOR EZSync) 1.0.6.8290 and earlier.

Reference

Acknowledgement

Kazuma Matsumoto, Security Researcher at GMO Cybersecurity by IERAE, Inc.


Revision

Revision Date Description
1 2025-11-18 Initial public release.
2 2025-11-19 CVE ID (CVE-2025-13051) is assigned for the issue.
3 2025-11-19 ABP 2.0.7.10171 and AES 1.1.0.10312 has been released for fixing the issue.