CVE-2025-8612 is a local privilege escalation vulnerability affecting AOMEI Backupper Workstation version 4.7.2. The vulnerability stems from improper link resolution before file access, categorized under CWE-59 ('Link Following'). Specifically, the flaw exists in the restore functionality of the software. An attacker who already has the ability to execute low-privileged code on the target system can exploit this vulnerability by creating a junction (a type of symbolic link in Windows) that the backup service follows improperly. This allows the attacker to manipulate the service into creating arbitrary files in locations that should be protected. Exploiting this flaw enables escalation of privileges from a low-privileged user to SYSTEM-level privileges, which is the highest level of privilege on Windows systems. However, exploitation requires user interaction by an administrator, meaning an admin must initiate or approve some action during the attack process. The vulnerability was identified and assigned by the Zero Day Initiative (ZDI) as ZDI-CAN-27059 and has a CVSS v3.0 score of 7.3, indicating a high severity level. The attack vector is local (AV:L), requires low attack complexity (AC:L), privileges (PR:L), and user interaction (UI:R). The impact on confidentiality, integrity, and availability is high, as the attacker can execute arbitrary code with SYSTEM privileges, potentially leading to full system compromise. No known exploits are currently reported in the wild, and no patch links are provided yet, indicating that organizations using this software should be vigilant and prepare to apply updates once available.

For European organizations using AOMEI Backupper Workstation 4.7.2, this vulnerability poses a significant risk. Since the flaw allows local privilege escalation to SYSTEM level, an attacker who gains initial low-level access—such as through phishing, malware, or insider threats—can leverage this vulnerability to gain full control over affected systems. This can lead to unauthorized access to sensitive data, disruption of backup and restore operations, and potential deployment of ransomware or other malicious payloads. The requirement for administrator interaction somewhat limits remote exploitation but does not eliminate risk, especially in environments where administrators frequently interact with backup software. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and critical infrastructure, could face severe compliance and operational impacts if exploited. Additionally, the backup software’s role in data recovery means that compromise could undermine disaster recovery capabilities, increasing downtime and recovery costs.

To mitigate this vulnerability effectively, European organizations should: 1) Immediately audit and restrict local user permissions to minimize the number of users with low-level code execution capabilities. 2) Limit administrative user interactions with backup software to trusted personnel and enforce strict operational procedures to prevent inadvertent exploitation. 3) Monitor for suspicious creation of junctions or symbolic links on systems running AOMEI Backupper Workstation, as this is a key exploitation vector. 4) Employ application whitelisting and endpoint detection and response (EDR) tools to detect unusual file creation or privilege escalation attempts. 5) Isolate backup servers and workstations from general user environments to reduce attack surface. 6) Stay alert for official patches or updates from AOMEI and apply them promptly once released. 7) Conduct regular security awareness training for administrators to recognize and avoid social engineering attempts that could trigger the required user interaction. 8) Consider alternative backup solutions with a stronger security posture if patching is delayed.