Arbitrary Code Execution Vulnerability in ABP and AES by ASUSTOR
CVE-2025-8070

9.2CRITICAL

Key Information:

Vendor: Asustor
Status: Abp And Aes
Vendor: CVE Published:; 23 July 2025

What is CVE-2025-8070?

A local attacker can exploit an unquoted ImagePath in the Windows service configuration of ABP and AES. This vulnerability arises when the executable is located in a path containing spaces, enabling the attacker to place a malicious executable in a predictable location, such as C:\Program.exe. If successfully exploited, the vulnerability can lead to arbitrary code execution with elevated privileges, allowing the attacker to escalate to SYSTEM level.

Affected Version(s)

ABP and AES Windows ABP 2.0 <= 2.0.7.6130

ABP and AES Windows AES 1.0 <= 1.0.6.6133

References

https://www.asustor.com/security/security_advisory_detail...

vendor-advisory

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 23, 2025
Vulnerability Reserved
Jul 23, 2025

Credit

Kazuma Matsumoto from GMO Cybersecurity by IERAE, Inc.