CVE-2025-53395
📋 TL;DR
This vulnerability allows local attackers to execute arbitrary code with administrator privileges by tricking a user with admin rights into mounting a malicious backup file. Attackers can achieve privilege escalation by placing a crafted .mrimgx file and malicious VSSSvr.dll in the same directory. Users of Macrium Reflect with administrative privileges who mount backup files are affected.
💻 Affected Systems
- Macrium Reflect
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining administrator privileges, allowing installation of persistent malware, data theft, and complete control over the affected system.
Likely Case
Local privilege escalation leading to unauthorized administrative access, potentially enabling lateral movement within the network and further exploitation.
If Mitigated
Limited impact if users operate with least privilege and avoid mounting untrusted backup files, though the vulnerability still exists in the software.
🎯 Exploit Status
Exploitation requires local access and user interaction (mounting a backup file), but the technique is straightforward once those conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2025-06-26
Vendor Advisory: https://www.macrium.com/blog/macrium-security-advisory-cve-2025-53394-cve-2025-53395
Restart Required: Yes
Instructions:
1. Visit the Macrium website and download the latest version. 2. Uninstall the current version. 3. Install the updated version. 4. Restart the system to ensure all components are updated.
🔧 Temporary Workarounds
Restrict DLL loading from current directory
windowsConfigure Windows to prevent DLL loading from the current directory using CWDIllegalInDllSearch registry setting.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v CWDIllegalInDllSearch /t REG_DWORD /d 0xFFFFFFFF /f
Use least privilege principle
windowsRun Macrium Reflect without administrative privileges when possible, and avoid mounting backup files from untrusted sources.
🧯 If You Can't Patch
- Implement strict access controls to prevent untrusted users from placing files in directories where backups are mounted.
- Educate users to only mount backup files from trusted sources and verify file integrity before mounting.
🔍 How to Verify
Check if Vulnerable:
Check Macrium Reflect version - if it's 2025-06-26 or earlier, the system is vulnerable.Check Version:
Check Help > About in Macrium Reflect interface or examine installed programs in Control Panel.Verify Fix Applied:
Verify the installed version is after 2025-06-26 and check that the vulnerability no longer allows DLL hijacking from current directory.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loading events from ReflectMonitor.exe, particularly VSSSvr.dll from unusual locations
- Process creation events showing ReflectMonitor.exe spawning unexpected child processes
Network Indicators:
- No specific network indicators as this is a local privilege escalation vulnerability
SIEM Query:
Process Creation where (Image contains 'ReflectMonitor.exe' AND ParentImage contains 'explorer.exe') OR (Image contains 'VSSSvr.dll' AND Process contains 'ReflectMonitor')