CVE-2025-8610 is a critical remote code execution vulnerability affecting AOMEI Cyber Backup version 3.7.0. The flaw resides in the StorageNode service, which by default listens on TCP port 9075. The vulnerability is classified as CWE-306, indicating a missing authentication for a critical function. Specifically, the StorageNode service does not require any authentication before granting access to sensitive functionality, allowing an unauthenticated remote attacker to execute arbitrary code with SYSTEM-level privileges. This means an attacker can fully compromise the affected system, gaining complete control over the backup environment and potentially the underlying host. The vulnerability has a CVSS v3.0 base score of 9.8, reflecting its critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been observed in the wild yet, the ease of exploitation and severity make this a significant threat. The lack of authentication on a network-exposed service that handles backup operations poses a severe risk, as attackers could manipulate backup data, disrupt backup processes, or use the compromised system as a foothold for lateral movement within an organization’s network. Given that backup systems often have elevated privileges and access to critical data, exploitation could lead to data loss, ransomware deployment, or full system compromise.

For European organizations, the impact of this vulnerability could be severe. Backup systems like AOMEI Cyber Backup are integral to data protection and disaster recovery strategies. Compromise of such a system could lead to unauthorized data access, data tampering, or deletion, undermining data integrity and availability. Attackers gaining SYSTEM-level access could deploy ransomware or other malware, potentially causing widespread operational disruption. Given the critical nature of backup infrastructure, exploitation could affect business continuity, regulatory compliance (e.g., GDPR), and result in significant financial and reputational damage. Organizations relying on AOMEI Cyber Backup for critical data protection are at risk of losing control over their backup environments, which could also facilitate further attacks on connected systems. The vulnerability’s network-exposed nature and lack of authentication mean it can be exploited remotely without user interaction, increasing the likelihood of automated scanning and exploitation attempts targeting European networks.

Immediate mitigation steps include isolating the StorageNode service from untrusted networks by restricting access to TCP port 9075 using network segmentation and firewall rules. Organizations should implement strict network-level access controls, allowing only trusted management hosts to communicate with the backup server. Monitoring network traffic for unusual connections to port 9075 can help detect exploitation attempts. Since no patch is currently available, consider disabling or stopping the StorageNode service if feasible until a vendor fix is released. Employ host-based intrusion detection systems (HIDS) to monitor for suspicious process creation or privilege escalation indicative of exploitation. Regularly audit backup server configurations and logs for unauthorized access attempts. Additionally, maintain offline or immutable backups to ensure recovery capability in case of compromise. Once a patch is released by AOMEI, prioritize its deployment across all affected systems. Finally, incorporate this vulnerability into incident response plans and conduct tabletop exercises to prepare for potential exploitation scenarios.