CVE-2025-8611 Overview
CVE-2025-8611 is a critical missing authentication vulnerability in AOMEI Cyber Backup that allows unauthenticated remote attackers to execute arbitrary code as SYSTEM. The flaw resides in the DaoService component, which listens on TCP port 9074 by default. Because the service exposes sensitive functionality without performing authentication checks, any attacker with network reachability can invoke privileged operations. The vulnerability is tracked under Zero Day Initiative identifier ZDI-CAN-26158 and classified as [CWE-306]: Missing Authentication for Critical Function.
Critical Impact
Unauthenticated remote code execution as SYSTEM on hosts running AOMEI Cyber Backup, enabling full host compromise, backup data theft, and ransomware staging.
Affected Products
- AOMEI Cyber Backup 3.7.0
- AOMEI Cyber Backup installations exposing the DaoService on TCP port 9074
- Windows hosts where the AOMEI Cyber Backup service runs with SYSTEM privileges
Discovery Timeline
- 2025-08-20 - CVE-2025-8611 published to NVD
- 2025-08-22 - Last updated in NVD database
Technical Details for CVE-2025-8611
Vulnerability Analysis
The vulnerability resides in the DaoService component of AOMEI Cyber Backup. This service binds to TCP port 9074 and accepts requests from network clients. The service exposes functionality that should require authentication, but the implementation does not verify caller identity before processing requests. An attacker who can reach the port over the network can invoke sensitive operations directly.
Because the DaoService runs in the context of the SYSTEM account on Windows hosts, successful exploitation yields full administrative control of the operating system. Attackers can deploy persistence, disable security tooling, exfiltrate backup data, or stage ransomware. The vulnerability is classified as [CWE-306] (Missing Authentication for Critical Function), one of the more common high-impact weaknesses in network-exposed enterprise software.
The EPSS model assigns this CVE an elevated exploitation probability, reflecting the combination of remote attack vector, lack of authentication, and SYSTEM-level execution.
Root Cause
The root cause is the absence of an authentication or authorization layer in front of privileged DaoService methods. Network-exposed handlers process attacker-controlled input and execute privileged actions without first validating the requesting principal. Reference details are documented in the Zero Day Initiative Advisory ZDI-25-807.
Attack Vector
The attack vector is fully network-based and requires no user interaction or credentials. An attacker sends a crafted request to TCP port 9074 on a host running AOMEI Cyber Backup. The request invokes a DaoService operation that leads to arbitrary code execution under the SYSTEM account. No verified public proof-of-concept code is available at this time; refer to the ZDI advisory for further technical context.
Detection Methods for CVE-2025-8611
Indicators of Compromise
- Unexpected inbound TCP connections to port 9074 from untrusted networks or hosts outside the backup administration scope.
- Child processes of the AOMEI Cyber Backup service binary spawning shells (cmd.exe, powershell.exe) or LOLBins under the SYSTEM account.
- New scheduled tasks, services, or local accounts created shortly after DaoService activity.
Detection Strategies
- Monitor process lineage where the AOMEI Cyber Backup service is the parent of interactive shells, scripting engines, or rundll32.exe/regsvr32.exe.
- Inspect network telemetry for non-administrative hosts initiating sessions to TCP port 9074.
- Alert on file writes by the AOMEI service process to user-writable directories, startup locations, or autorun registry keys.
Monitoring Recommendations
- Enable Windows process creation auditing (Event ID 4688) and Sysmon Event IDs 1, 3, and 11 on hosts running AOMEI Cyber Backup.
- Forward backup server logs to a centralized SIEM and correlate DaoService activity with subsequent privileged process creation.
- Track outbound connections from the backup host to detect post-exploitation command-and-control channels.
How to Mitigate CVE-2025-8611
Immediate Actions Required
- Restrict network access to TCP port 9074 so that only trusted management hosts can reach the DaoService.
- Isolate AOMEI Cyber Backup servers on a dedicated management VLAN with strict firewall ingress rules.
- Review backup server hosts for signs of prior exploitation, including unauthorized accounts, scheduled tasks, and unexpected service binaries.
- Apply the vendor-supplied security update once AOMEI publishes a fixed release.
Patch Information
At the time of publication, no vendor advisory URL is listed in the CVE record. Administrators should consult AOMEI Technology directly and monitor the Zero Day Initiative Advisory ZDI-25-807 for updates on patched versions beyond AOMEI Cyber Backup 3.7.0.
Workarounds
- Block TCP port 9074 at the host firewall and perimeter for all sources except authorized backup administration systems.
- Stop or disable the DaoService if the affected functionality is not required for production operations.
- Place backup infrastructure behind a VPN or zero-trust network access gateway to remove direct internet exposure.
# Configuration example: restrict access to DaoService TCP port 9074 on Windows
netsh advfirewall firewall add rule ^
name="Block AOMEI DaoService 9074 Inbound" ^
dir=in protocol=TCP localport=9074 action=block
netsh advfirewall firewall add rule ^
name="Allow AOMEI DaoService from Mgmt Subnet" ^
dir=in protocol=TCP localport=9074 ^
remoteip=10.10.20.0/24 action=allow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
