A critical remote code execution vulnerability has been discovered in AOMEI Cyber Backup, identified as CVE-2025-8611 with a CVSS score of 9.8. This flaw allows a remote, unauthenticated attacker to bypass security checks and execute arbitrary code, leading to a complete compromise of the affected backup server. Successful exploitation could result in data theft, ransomware deployment, and significant disruption to business continuity and disaster recovery capabilities.

The vulnerability exists due to a missing authentication check on a critical function within the AOMEI Cyber Backup application's web interface. A remote attacker can craft a specialized, unauthenticated request to a specific API endpoint on an exposed server. This request can include a malicious payload, which the application will execute with the same privileges as the backup service, potentially leading to full system control (e.g., SYSTEM on Windows or root on Linux).

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a severe and immediate risk to the organization. A successful exploit allows for unauthenticated Remote Code Execution (RCE), which could lead to a complete system compromise of the backup server. Potential consequences include the theft or destruction of sensitive backup data, deployment of ransomware across the network, installation of persistent backdoors for long-term access, and the ability for an attacker to pivot to other critical systems. The compromise of a backup system directly threatens an organization's ability to recover from any incident, magnifying the overall business impact.

Immediate Action: The primary remediation is to apply the vendor-supplied security patch immediately. Update AOMEI Cyber Backup to the latest version to resolve the missing authentication vulnerability. After patching, it is crucial to monitor for any signs of post-exploitation activity and thoroughly review application and system access logs for indicators of compromise that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring on AOMEI Cyber Backup servers. Security teams should look for anomalous network traffic to and from the server, especially direct connections from untrusted IP addresses. Monitor system processes for any unexpected child processes spawned by the AOMEI service. Review web server and application logs for unusual requests, particularly those targeting API endpoints without authentication tokens or session cookies.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce the risk of exploitation:

• Restrict network access to the AOMEI Cyber Backup management interface to a limited set of trusted administrative IP addresses using a firewall.
• Place the backup server in a segmented network zone with strict ingress and egress filtering.
• If possible, deploy a Web Application Firewall (WAF) with rules designed to inspect and block malicious requests targeting the vulnerable function.

Public Exploit Available: False (as of Aug 20, 2025)

Given the critical CVSS score of 9.8 and the unauthenticated remote code execution nature of this vulnerability, we strongly recommend that immediate action be taken. The risk of complete system compromise is exceptionally high. Organizations must prioritize the deployment of the vendor-provided patch to all affected AOMEI Cyber Backup installations. While this CVE is not yet listed on the CISA KEV catalog, its severity makes it a prime candidate for future inclusion. If patching is delayed, the compensating controls listed above should be implemented without exception to mitigate the immediate threat.