MSP360 Free Backup Link Following Local Privilege Escalation Vulnerability
CVE-2025-12838

7.3HIGH

Key Information:

Vendor: Msp360
Status: Free Backup
Vendor: CVE Published:; 23 December 2025

What is CVE-2025-12838?

MSP360 Free Backup Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MSP360 Free Backup. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is needed additionally.

The specific flaw exists within the restore functionality. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27245.

Affected Version(s)

Free Backup 8.1.0.620

References

https://www.zerodayinitiative.com/advisories/ZDI-25-988/

x_research-advisory

CVSS V3.0

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 23, 2025
Vulnerability Reserved
Nov 6, 2025

JSON

Msp360

What is CVE-2025-12838?

Affected Version(s)

References

CVSS V3.0

Timeline