A critical vulnerability has been discovered in AOMEI Cyber Backup products, identified as CVE-2025-8610. This flaw allows a remote, unauthenticated attacker to execute arbitrary code on the backup server, potentially leading to a complete system compromise. Successful exploitation could result in data theft, deletion of critical backups, or the deployment of ransomware, posing a severe threat to business continuity and data security.

This vulnerability is a result of a missing authentication check for a critical function within the AOMEI Cyber Backup software. An unauthenticated attacker on the network can send a specially crafted request to a specific endpoint of the application's web interface. Because the software fails to verify if the user is authorized to perform this action, the request is processed, allowing the attacker to execute arbitrary commands on the underlying server with the privileges of the backup service account, which is often a highly privileged user.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would grant an attacker complete control over the AOMEI Cyber Backup server. The potential business impact includes the compromise of data confidentiality, integrity, and availability. An attacker could exfiltrate sensitive data contained within backups, maliciously delete or corrupt all backup data to disrupt disaster recovery operations, or use the compromised server as a beachhead to pivot and launch further attacks against the internal network. The risk of a ransomware attack originating from the compromised backup server is also significantly high.

Immediate Action: Immediately apply the security updates provided by AOMEI to patch all affected installations of AOMEI Cyber Backup Multiple Products to the latest version. After patching, it is crucial to review system and application logs for any signs of compromise that may have occurred prior to the patch being applied.

Proactive Monitoring:

• Log Analysis: Review AOMEI Cyber Backup application logs and web server access logs for unusual requests, especially those targeting administrative functions from unknown IP addresses.
• Network Traffic: Monitor network traffic to and from the backup server for anomalous data flows, connections to suspicious external hosts, or signs of command-and-control (C2) communication.
• Endpoint Detection: Utilize EDR or system monitoring tools to detect the creation of unexpected processes, files, or scheduled tasks originating from the AOMEI Cyber Backup service.

Compensating Controls:

• Network Segmentation: Restrict network access to the AOMEI Cyber Backup management interface using a host-based or network firewall. Only allow connections from a dedicated administrative jump box or trusted IP address range.
• Access Control: If possible, place the backup server in an isolated network segment to limit its ability to communicate with other parts of the corporate network.
• Increased Auditing: Temporarily increase logging levels on the affected server to capture more detailed information about all system and application activity until patching is complete.

Public Exploit Available: false

This vulnerability represents a critical and immediate threat to the organization. Due to the critical CVSS score of 9.8 and the trivial nature of exploitation, we strongly recommend that all affected AOMEI Cyber Backup installations are patched on an emergency basis. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a prime candidate for future inclusion. Organizations must prioritize the remediation plan to prevent a potentially devastating system compromise and data breach.