CVE-2025-8070 is a critical vulnerability classified under CWE-428 (Unquoted Search Path or Element) affecting ASUSTOR's ABP (App Backup) and AES (ASUSTOR Encryption Service) products, specifically versions ABP 2.0.7.6130 and earlier and AES 1.0.6.6133 and earlier. The vulnerability arises from the Windows service configuration where the ImagePath registry value, which specifies the executable path for the service, is unquoted despite containing spaces in the path. This misconfiguration allows a local attacker to place a malicious executable in a predictable location such as C:\Program.exe. When the service starts, Windows may execute the malicious executable instead of the intended one due to the way it parses unquoted paths with spaces. Since these services typically run with elevated privileges, exploitation leads to privilege escalation to SYSTEM level. The vulnerability requires local access with low privileges and no user interaction, making it relatively easy to exploit once local access is obtained. The CVSS 4.0 score of 9.2 reflects the high impact on confidentiality, integrity, and availability, with a high scope and no user interaction needed. No known exploits are currently reported in the wild, but the vulnerability's nature and severity make it a significant risk for affected systems. The lack of patch links indicates that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.

For European organizations using ASUSTOR ABP and AES products, this vulnerability poses a significant risk of local privilege escalation. Attackers who gain low-level access to affected systems can leverage this flaw to escalate privileges to SYSTEM, potentially gaining full control over the device. This can lead to unauthorized access to sensitive data, disruption of backup or encryption services, and lateral movement within networks. Given that ASUSTOR products are often used in enterprise and SMB environments for data backup and encryption, exploitation could compromise critical business data and operations. The impact is heightened in environments where these services run on Windows systems with multiple users or where endpoint security is less stringent. Additionally, the vulnerability could be leveraged as part of a multi-stage attack chain, especially in targeted attacks against organizations with valuable intellectual property or sensitive information. The absence of known exploits in the wild currently provides a window for proactive defense, but the critical severity necessitates urgent attention.

1. Immediate mitigation involves manually correcting the unquoted service path in the Windows registry for the affected services. Administrators should locate the ImagePath registry key for ABP and AES services and ensure the executable path is enclosed in double quotes to prevent path hijacking. 2. Restrict write permissions on directories in the service path to prevent unauthorized users from placing malicious executables. 3. Implement strict local access controls and limit the number of users with local login privileges to reduce the risk of local exploitation. 4. Monitor systems for suspicious executable files in common hijack locations such as C:\Program.exe. 5. Employ application whitelisting and endpoint protection solutions that can detect and block unauthorized executable launches. 6. Regularly audit and update ASUSTOR products to the latest versions once patches become available. 7. Educate IT staff about the risks of unquoted service paths and encourage proactive registry audits for other services that may be similarly affected. These steps go beyond generic advice by focusing on immediate registry fixes, permission hardening, and active monitoring tailored to this vulnerability's exploitation vector.