MSP360 Free Backup Link Following Local Privilege Escalation Vulnerability

7.3 / 10

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Description

MSP360 Free Backup Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MSP360 Free Backup. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is needed additionally.

The specific flaw exists within the restore functionality. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27245.

Basic Information

ID CVE-2025-12838

Source zdi

Published Dec 23, 2025 at 21:41

Affected Product

Vendor MSP360

Product Free Backup

Version 8.1.0.620

Affected Versions MSP360 Free Backup 8.1.0.620

CWE Classification

CWE-59

References

www.zerodayinitiative.com /advisories/ZDI-25-988/

{
    "lastseen": "",
    "description": "MSP360 Free Backup Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MSP360 Free Backup. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is needed additionally.\n\nThe specific flaw exists within the restore functionality. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27245.",
    "published": "2025-12-23T21:41:11.250Z",
    "modified": "2025-12-23T21:41:11.250Z",
    "type": "cve",
    "title": "MSP360 Free Backup Link Following Local Privilege Escalation Vulnerability",
    "source": "zdi",
    "references": "https://www.zerodayinitiative.com/advisories/ZDI-25-988/",
    "id": "CVE-2025-12838",
    "bulletinFamily": "",
    "cwe": [
        "CWE-59"
    ],
    "cvelist": null,
    "sourceData": "MSP360 Free Backup 8.1.0.620",
    "sourceHref": "",
    "cvss": {
        "score": 7.3,
        "severity": "HIGH",
        "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Free Backup",
    "version": "8.1.0.620",
    "vendor": "MSP360",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

MSP360 Free Backup Link Following Local Privilege Escalation Vulnerability_CVE-2025-12838