CVE-2025-8070 CRITICAL

CVE-2025-8070: Windows service registered with an unquoted ImagePath vulnerability in the system registry

Vendor Asustor
Product ABP and AES
Weakness CWE-428
Published July 23, 2025
Last update July 23, 2025

CVSS base score

9.2/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:N/SA:N

What the vulnerability does

01Description

The Windows service configuration of ABP and AES contains an unquoted ImagePath registry value vulnerability. This allows a local attacker to execute arbitrary code by placing a malicious executable in a predictable location such as C:\Program.exe. If the service runs with elevated privileges, exploitation results in privilege escalation to SYSTEM level. This vulnerability arises from an unquoted service path affecting systems where the executable resides in a path containing spaces. Affected products and versions include: ABP 2.0.7.6130 and earlier as well as AES 1.0.6.6133 and earlier.

Key dates

02Disclosure timeline

July 23, 2025 CVE published
July 23, 2025 Record updated