CVE-2025-8610 Overview
CVE-2025-8610 is a critical missing authentication vulnerability affecting AOMEI Cyber Backup that allows remote attackers to execute arbitrary code on affected installations. The vulnerability exists in the StorageNode service, which listens on TCP port 9075 by default, and does not require authentication to exploit. An attacker can leverage this flaw to execute code in the context of SYSTEM, resulting in complete system compromise.
Critical Impact
Remote attackers can execute arbitrary code with SYSTEM privileges without authentication, leading to complete system compromise.
Affected Products
- AOMEI Cyber Backup version 3.7.0
Discovery Timeline
- 2025-08-20 - CVE-2025-8610 published to NVD
- 2025-08-25 - Last updated in NVD database
Technical Details for CVE-2025-8610
Vulnerability Analysis
This vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The StorageNode service in AOMEI Cyber Backup exposes critical functionality over the network without requiring any form of authentication. The service binds to TCP port 9075 by default and processes incoming requests that can lead to code execution.
The lack of authentication controls allows any network-accessible attacker to interact with the service and invoke functionality that should be restricted to authorized administrators. Since the service runs with elevated SYSTEM privileges, successful exploitation grants the attacker complete control over the affected system.
Root Cause
The root cause of CVE-2025-8610 is the absence of authentication mechanisms in the StorageNode service. The service was designed to provide backup storage functionality but fails to validate the identity of connecting clients before processing their requests. This design flaw allows unauthenticated access to critical administrative functions that can be abused for remote code execution.
Attack Vector
The attack vector for this vulnerability is network-based and requires no user interaction or prior authentication. An attacker with network access to TCP port 9075 on a system running AOMEI Cyber Backup can directly interact with the StorageNode service. By sending specially crafted requests to the service, the attacker can trigger code execution in the context of SYSTEM.
The vulnerability is particularly dangerous in enterprise environments where AOMEI Cyber Backup may be deployed to protect critical systems. If the StorageNode service is exposed to untrusted networks or the internet, remote attackers can compromise backup infrastructure without any credentials.
For detailed technical information, refer to the Zero Day Initiative Advisory ZDI-25-808.
Detection Methods for CVE-2025-8610
Indicators of Compromise
- Unexpected network connections to TCP port 9075 from unauthorized IP addresses
- Anomalous process execution spawned from the StorageNode service
- SYSTEM-level processes launched with unusual command-line arguments
- Network traffic patterns indicating exploitation attempts against the backup service
Detection Strategies
- Monitor network traffic to TCP port 9075 for connections from untrusted sources
- Implement network intrusion detection signatures to identify exploitation attempts targeting the StorageNode service
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious process creation chains originating from backup software
- Review Windows Security Event logs for unexpected SYSTEM-level process execution
Monitoring Recommendations
- Configure firewall rules to restrict access to TCP port 9075 to authorized management systems only
- Implement network segmentation to isolate backup infrastructure from general user networks
- Enable verbose logging on the AOMEI Cyber Backup service and forward logs to a SIEM for analysis
- Monitor for lateral movement attempts following potential compromise of backup servers
How to Mitigate CVE-2025-8610
Immediate Actions Required
- Restrict network access to TCP port 9075 using firewall rules to allow only trusted management systems
- Isolate affected systems from untrusted network segments until patches can be applied
- Monitor affected systems for signs of compromise or exploitation attempts
- Review network logs for any historical connections to port 9075 from unexpected sources
Patch Information
Check the Zero Day Initiative Advisory ZDI-25-808 for the latest patch information from AOMEI. Contact the vendor directly for security updates that address this vulnerability.
Workarounds
- Implement firewall rules to block external access to TCP port 9075
- Deploy network segmentation to isolate backup infrastructure
- Consider disabling the StorageNode service if not actively required until a patch is available
- Use a VPN or jump server for administrative access to backup systems
# Example Windows Firewall rule to restrict StorageNode access
netsh advfirewall firewall add rule name="Block StorageNode External" dir=in action=block protocol=tcp localport=9075 remoteip=any
netsh advfirewall firewall add rule name="Allow StorageNode Trusted" dir=in action=allow protocol=tcp localport=9075 remoteip=10.0.0.0/8,192.168.0.0/16
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
