CVE-2025-13051 is a critical security vulnerability classified under CWE-427 (Uncontrolled Search Path Element) affecting ASUSTOR's ABP and AES services. These services, when installed in directories writable by non-administrative users, are susceptible to DLL planting attacks. An attacker with limited privileges can replace or insert a malicious DLL that shares the same name as a legitimate DLL loaded by the service. Upon restarting the service, the malicious DLL is loaded and executed with LocalSystem privileges, leading to unauthorized code execution with full system control. This vulnerability affects ABP versions 2.0 through 2.0.7.9050 and AES versions 1.0 through 1.0.6.8290. The attack vector requires local access with low complexity and no user interaction, but privileges are needed to write to the installation directory. The vulnerability impacts confidentiality, integrity, and availability severely, as attackers can execute arbitrary code at the highest privilege level. Although no exploits are currently known in the wild, the high CVSS score (9.3) reflects the critical nature of this flaw. The root cause is improper handling of search paths for DLLs, allowing attackers to influence which DLL is loaded by the service. This is a classic DLL hijacking scenario exacerbated by insecure directory permissions. The vulnerability was published on November 19, 2025, and no patches have been linked yet, emphasizing the need for immediate mitigation steps.

For European organizations, this vulnerability poses a significant risk, especially for those deploying ASUSTOR NAS devices running ABP and AES services in environments where directory permissions are not strictly controlled. Successful exploitation allows attackers to gain LocalSystem privileges, effectively full control over the affected system, which can lead to data breaches, ransomware deployment, or disruption of critical services. Confidentiality is compromised as attackers can access sensitive data stored on NAS devices. Integrity is at risk due to potential unauthorized modifications of files and configurations. Availability can be impacted if attackers disable or manipulate services. Given the criticality of NAS devices in enterprise storage and backup, this vulnerability could disrupt business operations and lead to regulatory non-compliance under GDPR if personal data is exposed. The lack of known exploits in the wild currently reduces immediate risk, but the ease of exploitation and high impact make this a top priority for security teams.

1. Immediately audit and restrict write permissions on directories where ABP and AES services are installed, ensuring only administrative users have write access. 2. Monitor the installation directories for unauthorized DLL files or changes, using file integrity monitoring tools. 3. Until official patches are released by ASUSTOR, consider disabling or stopping the ABP and AES services if they are not critical to operations. 4. Implement application whitelisting to prevent unauthorized DLLs from loading. 5. Use endpoint detection and response (EDR) solutions to detect anomalous process behavior indicative of DLL hijacking or privilege escalation. 6. Educate local administrators and users about the risks of installing or modifying software in insecure directories. 7. Once patches are available, prioritize their deployment across all affected systems. 8. Regularly review and update security policies related to NAS device management and service installations to prevent recurrence.