DLL Hijacking Vulnerability in ABP and AES by Asustor
CVE-2025-13051

9.3CRITICAL

Key Information:

Vendor: Asustor
Status: Abp And Aes
Vendor: CVE Published:; 19 November 2025

What is CVE-2025-13051?

A vulnerability exists in ABP and AES services that allows attackers to exploit a writable directory accessible to non-administrative users. By placing a malicious DLL with the same name as an existing service DLL in this directory, an attacker can execute unauthorized code with elevated system privileges. This occurs when the affected service is restarted, as the compromised DLL is loaded under the LocalSystem account, posing significant security risks.

Affected Version(s)

ABP and AES Windows ABP 2.0 <= 2.0.7.9050

ABP and AES Windows AES 1.0 <= 1.0.6.8290

References

https://www.asustor.com/security/security_advisory_detail...

vendor-advisory

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 19, 2025
Vulnerability Reserved
Nov 12, 2025

Credit

Kazuma Matsumoto, Security Researcher at GMO Cybersecurity by IERAE, Inc.

JSON