CVE Details
Basic Information
| Title | Windows service registered with an unquoted ImagePath vulnerability in the system registry |
|---|---|
| Type | cve |
| Published | 2025-07-23T07:26:03.531Z |
| Modified | 2025-07-23T07:27:30.090Z |
Product Information
| Vendor | ASUSTOR |
|---|---|
| Product | ABP and AES |
| Version | ABP 2.0 |
CVSS Information
| Base Score | 9.2 (CRITICAL) |
|---|---|
| Attack Vector | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:N/SA:N |
AI Analysis
| AI Description | A vulnerability in the Windows service configuration of ABP and AES allows local attackers to execute arbitrary code via an unquoted ImagePath registry value. This could lead to privilege escalation to SYSTEM level if the service runs with elevated privileges. |
|---|---|
| AI Severity | Critical |
| AI Vendor | ASUSTOR |
| AI Product | ABP and AES |
| AI Version | ABP 2.0.7.6130 and earlier, AES 1.0.6.6133 and earlier |
Affected Products
- ASUSTOR ABP and AES ABP 2.0
- ASUSTOR ABP and AES AES 1.0
Additional Information
| CWE List | CWE-428 |
|---|---|
| Source | ASUSTOR1 |
Description
The Windows service configuration of ABP and AES contains an unquoted ImagePath registry value vulnerability. This allows a local attacker to execute arbitrary code by placing a malicious executable in a predictable location such as C:\Program.exe. If the service runs with elevated privileges, exploitation results in privilege escalation to SYSTEM level. This vulnerability arises from an unquoted service path affecting systems where the executable resides in a path containing spaces.
Affected products and versions include: ABP 2.0.7.6130 and earlier as well as AES 1.0.6.6133 and earlier.
Affected products and versions include: ABP 2.0.7.6130 and earlier as well as AES 1.0.6.6133 and earlier.