CVE-2025-8070 Overview
CVE-2025-8070 is an unquoted service path vulnerability [CWE-428] affecting Asustor Backup Plan (ABP) and Asustor EZ Sync (AES) on Windows. The Windows service configuration stores the ImagePath registry value without surrounding quotes. When the executable path contains spaces, Windows attempts to load each space-delimited token as a binary. A local attacker who can write to a predictable location such as C:\Program.exe gains code execution under the service account. Affected versions include ABP 2.0.7.6130 and earlier, and AES 1.0.6.6133 and earlier.
Critical Impact
Local attackers can escalate privileges to SYSTEM by planting a malicious binary along the unquoted service path.
Affected Products
- Asustor Backup Plan (ABP) 2.0.7.6130 and earlier
- Asustor EZ Sync (AES) 1.0.6.6133 and earlier
- Windows hosts running the affected ABP or AES services
Discovery Timeline
- 2025-07-23 - CVE-2025-8070 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-8070
Vulnerability Analysis
The vulnerability stems from how Windows parses service ImagePath registry values. When a service binary path contains spaces and is not enclosed in quotes, the Service Control Manager interprets each whitespace-delimited segment as a potential executable. For a path like C:\Program Files\Asustor\service.exe, Windows sequentially attempts C:\Program.exe, then C:\Program Files\Asustor\service.exe, until one resolves. An attacker who can drop a file at C:\Program.exe causes the service to launch the attacker-controlled binary instead of the intended one.
Because ABP and AES services run with elevated privileges, the planted binary inherits SYSTEM-level rights at service start. This converts a low-privileged local foothold into full host compromise.
Root Cause
The root cause is improper service registration. The installer writes the ImagePath value without wrapping the binary path in double quotes, leaving the path subject to Windows path tokenization. The weakness maps to [CWE-428] Unquoted Search Path or Element.
Attack Vector
Exploitation requires local access with permission to write to a root directory such as C:\ or an intermediate folder along the service path. The attacker places a malicious executable named to match the first path token, such as Program.exe. On the next service start or system reboot, the Service Control Manager executes the attacker binary in the service security context. No user interaction is required.
No public proof-of-concept code has been published for this issue. See the Asustor Security Advisory #47 for vendor details.
Detection Methods for CVE-2025-8070
Indicators of Compromise
- Presence of unexpected executables in root directories such as C:\Program.exe, C:\Program Files\Common.exe, or other path-prefix locations
- Service start events where the resolved binary differs from the installed ABP or AES executable
- New child processes spawned by services.exe that originate outside the legitimate Asustor installation directory
Detection Strategies
- Audit the registry under HKLM\SYSTEM\CurrentControlSet\Services\ for ImagePath values containing spaces but no surrounding quotes
- Hunt for file creation events on root drive paths that align with unquoted service path tokens
- Correlate Windows Security Event ID 4688 (process creation) with parent process services.exe and unusual image paths
Monitoring Recommendations
- Enable command-line auditing and Sysmon Event ID 1 to capture full service launch paths
- Alert on writes to C:\ or other privileged root locations by non-administrative users
- Track service configuration changes through Event ID 7045 and registry auditing on the Services hive
How to Mitigate CVE-2025-8070
Immediate Actions Required
- Update ABP and AES to the fixed versions published in the Asustor advisory
- Inventory all Windows services and identify any with unquoted ImagePath values containing spaces
- Restrict write permissions on C:\ and other root directories to administrators only
Patch Information
Asustor has released fixed versions addressing CVE-2025-8070. Refer to Asustor Security Advisory #47 for the patched build numbers and upgrade instructions. Apply the vendor update across all hosts running ABP or AES.
Workarounds
- Manually edit the affected service ImagePath registry value to wrap the full executable path in double quotes
- Remove write access to root-level filesystem locations for non-privileged users and groups
- Disable the ABP and AES services on hosts where they are not actively required until patching completes
# Example: correct an unquoted ImagePath via reg.exe (run as administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Asustor\service.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
