CVE-2025-13051 CRITICAL

CVE-2025-13051: Windows service used an uncontrolled search path element will cause unauthorized code execution with localsystem privileges

Vendor Asustor
Product ABP and AES
Weakness CWE-427
Published November 19, 2025
Last update November 19, 2025

CVSS base score

9.3/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name as one loaded by the service. Upon service restart, the malicious DLL is loaded and executed under the LocalSystem account, resulting in unauthorized code execution with elevated privileges. This issue affects ABP and AES: from ABP 2.0 through 2.0.7.9050, from AES 1.0 through 1.0.6.8290.

Key dates

02Disclosure timeline

November 19, 2025 CVE published
November 19, 2025 Record updated