CVE-2025-8611 Overview
CVE-2025-8611 is a critical missing authentication vulnerability affecting AOMEI Cyber Backup that allows remote attackers to execute arbitrary code on affected installations without any authentication. The vulnerability exists within the DaoService service, which listens on TCP port 9074 by default, and results from the lack of authentication prior to allowing access to critical functionality. An attacker can leverage this vulnerability to execute code in the context of SYSTEM, achieving complete compromise of the affected system.
Critical Impact
Unauthenticated remote attackers can achieve SYSTEM-level code execution on affected AOMEI Cyber Backup installations, potentially compromising backup infrastructure and all associated data.
Affected Products
- AOMEI Cyber Backup version 3.7.0
- AOMEI Cyber Backup installations with DaoService exposed on TCP port 9074
Discovery Timeline
- 2025-08-20 - CVE-2025-8611 published to NVD
- 2025-08-22 - Last updated in NVD database
Technical Details for CVE-2025-8611
Vulnerability Analysis
This vulnerability is classified as CWE-306 (Missing Authentication for Critical Function), representing a fundamental design flaw in the AOMEI Cyber Backup application. The DaoService component exposes functionality on TCP port 9074 without implementing any form of authentication, allowing any network-accessible attacker to interact with the service and execute privileged operations.
The vulnerability is particularly severe because the DaoService runs with SYSTEM privileges on Windows systems, meaning any code executed through this attack vector inherits those elevated permissions. Backup software typically requires high privileges to access all files on a system, making it an attractive target for attackers seeking to establish persistence or exfiltrate sensitive data.
Root Cause
The root cause of CVE-2025-8611 lies in the absence of authentication mechanisms in the DaoService service. The service accepts and processes requests from any network client without verifying the identity or authorization of the requestor. This design oversight allows unauthenticated remote access to critical functionality that should be restricted to authorized administrators only.
Attack Vector
The attack vector for this vulnerability is network-based, targeting the DaoService listening on TCP port 9074. An attacker with network access to the vulnerable service can send specially crafted requests to execute arbitrary code. The attack requires no prior authentication, no user interaction, and can be executed remotely over the network.
The exploitation path involves:
- Identifying systems running AOMEI Cyber Backup with TCP port 9074 accessible
- Connecting to the DaoService without authentication
- Sending malicious requests to trigger code execution
- Achieving SYSTEM-level access on the compromised host
For technical details regarding exploitation, refer to the Zero Day Initiative Advisory ZDI-25-807.
Detection Methods for CVE-2025-8611
Indicators of Compromise
- Unexpected network connections to TCP port 9074 from unauthorized IP addresses
- Unusual processes spawned as child processes of the AOMEI Cyber Backup DaoService
- New user accounts or scheduled tasks created on systems running AOMEI Cyber Backup
- Suspicious SYSTEM-level process executions correlating with activity on port 9074
Detection Strategies
- Monitor network traffic for connections to TCP port 9074 from untrusted sources
- Implement endpoint detection rules to alert on suspicious child processes spawned by the DaoService
- Deploy SentinelOne's behavioral AI to detect unauthorized code execution patterns associated with backup service exploitation
- Create network IDS signatures to detect exploitation attempts targeting the DaoService
Monitoring Recommendations
- Enable detailed logging for the AOMEI Cyber Backup application and the DaoService component
- Configure network firewalls to log and alert on external access attempts to TCP port 9074
- Implement SentinelOne Singularity to provide real-time visibility and protection against exploitation attempts
- Regularly audit systems running AOMEI Cyber Backup for signs of compromise or unauthorized access
How to Mitigate CVE-2025-8611
Immediate Actions Required
- Restrict network access to TCP port 9074 using firewall rules, allowing only trusted administrative hosts
- Consider disabling the DaoService if remote management functionality is not required
- Isolate systems running AOMEI Cyber Backup from untrusted network segments
- Deploy SentinelOne agents on all backup infrastructure to detect and prevent exploitation attempts
Patch Information
Check the Zero Day Initiative Advisory ZDI-25-807 for the latest information regarding vendor patches and updates. Contact AOMEI Technology directly for information about patched versions addressing CVE-2025-8611.
Workarounds
- Implement strict firewall rules to block all untrusted access to TCP port 9074
- Place AOMEI Cyber Backup servers on isolated network segments with restricted access
- Use VPN or other secure access methods for remote administration of backup infrastructure
- Monitor the DaoService for any unauthorized access attempts until a patch is available
# Example Windows Firewall rule to restrict DaoService access
netsh advfirewall firewall add rule name="Block DaoService External Access" dir=in protocol=tcp localport=9074 action=block
netsh advfirewall firewall add rule name="Allow DaoService Admin Hosts" dir=in protocol=tcp localport=9074 remoteip=10.0.0.5,10.0.0.6 action=allow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
