CVE-2025-13051
📋 TL;DR
This vulnerability allows attackers to achieve privilege escalation by planting malicious DLLs in writable service directories. When ABP or AES services restart, they load these DLLs with LocalSystem privileges, enabling unauthorized code execution. This affects ABP versions 2.0 through 2.0.7.9050 and AES versions 1.0 through 1.0.6.8290.
💻 Affected Systems
- ABP
- AES
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with LocalSystem privileges, allowing attackers to install persistent backdoors, steal credentials, disable security controls, and pivot to other systems.
Likely Case
Local privilege escalation leading to unauthorized administrative access, data theft, and installation of additional malware on affected systems.
If Mitigated
Limited impact with proper directory permissions preventing DLL planting, though service restart requirements reduce attack window.
🎯 Exploit Status
Exploitation requires initial access to plant DLLs and ability to trigger service restart or wait for scheduled restart.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ABP: 2.0.8+, AES: 1.0.7+
Vendor Advisory: https://www.asustor.com/security/security_advisory_detail?id=48
Restart Required: Yes
Instructions:
1. Download latest version from vendor website. 2. Install update following vendor instructions. 3. Restart affected services. 4. Verify directory permissions are secure.
🔧 Temporary Workarounds
Secure Directory Permissions
windowsRestrict write permissions on service installation directories to prevent DLL planting.
icacls "C:\Program Files\ABP" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F"
icacls "C:\Program Files\AES" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F"
Monitor DLL Loading
allImplement monitoring for DLL loading from unexpected locations or by ABP/AES services.
🧯 If You Can't Patch
- Restrict service installation directories to read-only for non-administrative users.
- Implement application whitelisting to prevent execution of unauthorized DLLs.
🔍 How to Verify
Check if Vulnerable:
Check ABP version with 'ABP.exe --version' and AES version with 'AES.exe --version'. Verify if versions are within affected ranges and check directory permissions.Check Version:
ABP.exe --version && AES.exe --versionVerify Fix Applied:
Confirm version is ABP 2.0.8+ or AES 1.0.7+ using version commands. Verify directory permissions restrict write access to administrators only.📡 Detection & Monitoring
Log Indicators:
- Event ID 4697: Service installation, Event ID 7045: Service installed, Sysmon Event ID 7: Image loaded from unusual location
Network Indicators:
- Unusual outbound connections from ABP/AES services, unexpected service restarts
SIEM Query:
source="windows" (event_id=4697 OR event_id=7045) AND (process_name="ABP.exe" OR process_name="AES.exe")