CVE-2025-43596 – An insecure file system permissions vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-43596?

CVE-2025-43596 has a CVSS score of 7.8 (HIGH). An insecure file system permissions vulnerability in MSP360 Backup 8.0 allows low-privileged users to execute arbitrary commands with SYSTEM privileges by exploiting specially crafted backup target files. This affects all systems running vulnerable versions of MSP360 Backup, enabling privilege escalation from standard user accounts to full system control.

📋 TL;DR

An insecure file system permissions vulnerability in MSP360 Backup 8.0 allows low-privileged users to execute arbitrary commands with SYSTEM privileges by exploiting specially crafted backup target files. This affects all systems running vulnerable versions of MSP360 Backup, enabling privilege escalation from standard user accounts to full system control.

💻 Affected Systems

Products:

MSP360 Backup (formerly CloudBerry Backup)

Versions: Version 8.0 up to but not including 8.1.1.19

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires low-privileged user access to the system running MSP360 Backup with backup functionality enabled.

📦 What is this software?

Backup by Msp360

View all CVEs affecting Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining persistent SYSTEM-level access, installing malware, stealing sensitive data, and pivoting to other systems in the network.

🟠

Likely Case

Privilege escalation from standard user to SYSTEM, allowing installation of backdoors, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper access controls restrict low-privileged users from accessing backup functionality and file system locations.

🌐 Internet-Facing: LOW (Backup software typically runs internally, not directly internet-exposed)

🏢 Internal Only: HIGH (Internal attackers or compromised accounts can exploit this for privilege escalation)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated low-privileged access. Exploitation involves creating specially crafted backup target files to trigger privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.1.1.19

Vendor Advisory: https://help.msp360.com/cloudberry-backup/whats-new

Restart Required: Yes

Instructions:

1. Download MSP360 Backup 8.1.1.19 from official vendor sources. 2. Run the installer as administrator. 3. Follow installation prompts. 4. Restart the system after installation completes.

🔧 Temporary Workarounds

Restrict Backup Permissions

windows

Limit backup configuration and file system access to administrative users only

Use Windows Group Policy to restrict access to MSP360 Backup directories and executables to administrators only

Disable Low-Privileged Backup Access

windows

Prevent non-administrative users from configuring or running backups

Remove backup permissions from standard user accounts in MSP360 Backup settings

🧯 If You Can't Patch

Implement strict access controls to ensure only trusted administrators can configure or modify backup settings
Monitor file system changes in backup target directories and alert on suspicious file creations or modifications

🔍 How to Verify

Check if Vulnerable:

Check MSP360 Backup version in Help > About. If version is 8.0.x and less than 8.1.1.19, the system is vulnerable.

Check Version:

Check application version via GUI (Help > About) or registry: HKEY_LOCAL_MACHINE\SOFTWARE\MSP360\Backup\Version

Verify Fix Applied:

Verify version shows 8.1.1.19 or higher in Help > About after patching.

📡 Detection & Monitoring

Log Indicators:

Unusual backup job creations or modifications by non-admin users
File creation events in backup target directories from low-privileged accounts
Process creation events showing MSP360 Backup spawning unexpected child processes

Network Indicators:

Unusual outbound connections from backup server following backup job execution

SIEM Query:

EventID=4688 AND NewProcessName LIKE '%MSP360%' AND SubjectUserName NOT IN (admin_users_list)

📊 Metadata

CVE ID: CVE-2025-43596

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

EPSS Score: 0.17% exploit probability (38.7th percentile)

Published: May 22, 2025

Last Updated: September 23, 2025

🔗 References

https://help.msp360.com/cloudberry-backup/security/admin-privileges Product
https://help.msp360.com/cloudberry-backup/whats-new Release Notes
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-119-01.json Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-43596 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-43596, you might also want to check these: