CVE-2025-51463 is a path traversal vulnerability found in the restore_run_backup() function of AIM version 3.28.0. This vulnerability allows remote attackers to write arbitrary files to the server's filesystem by submitting a specially crafted backup tar file to the run_instruction API. The vulnerability arises because the tar file is extracted during the restoration process without proper path validation, enabling attackers to traverse directories and overwrite or create files outside the intended extraction directory. This can lead to unauthorized file creation or modification, potentially allowing attackers to implant malicious files, alter configuration files, or disrupt system operations. The vulnerability does not require authentication or user interaction, increasing its risk profile. Although no known exploits are currently reported in the wild, the nature of the vulnerability makes it a significant risk if weaponized. The lack of a CVSS score indicates that this vulnerability is newly published and may not yet have undergone comprehensive impact assessment. However, the ability to write arbitrary files remotely without authentication is a critical security flaw that can compromise confidentiality, integrity, and availability of affected systems.

For European organizations, this vulnerability poses a serious risk, especially for those using AIM 3.28.0 or similar versions. The arbitrary file write capability can lead to system compromise, data breaches, or service disruption. Critical infrastructure, financial institutions, healthcare providers, and government agencies in Europe that rely on AIM for backup and restoration processes could face operational downtime or data integrity issues. Attackers could implant backdoors, modify security configurations, or disrupt backup restorations, undermining business continuity and regulatory compliance (e.g., GDPR). The remote and unauthenticated nature of the exploit increases the likelihood of automated attacks targeting vulnerable systems across Europe. Additionally, organizations with interconnected networks may experience lateral movement by attackers leveraging this vulnerability, amplifying the impact.

Organizations should immediately audit their use of AIM software, specifically verifying the version in use and whether it includes the vulnerable restore_run_backup() function. Until a patch or update is released, it is critical to restrict access to the run_instruction API to trusted networks and authenticated users only, employing network segmentation and firewall rules to limit exposure. Implement strict input validation and monitoring on backup files submitted for restoration, including scanning tar files for path traversal patterns before extraction. Employ application-layer security controls such as Web Application Firewalls (WAFs) configured to detect and block suspicious payloads targeting the backup restoration endpoints. Regularly monitor system logs for unusual file creation or modification activities. Organizations should also prepare to deploy patches promptly once available and conduct penetration testing to verify the effectiveness of mitigations. Backup and disaster recovery plans should be reviewed and tested to ensure resilience against potential exploitation.