AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability

The impact of CVE-2025-8611 is severe due to the lack of authentication required for exploitation. An attacker can directly access the DaoService on TCP port 9074 and execute commands with SYSTEM privileges. This grants them complete control over the affected machine, enabling them to install malware, steal sensitive data, modify system configurations, and potentially pivot to other systems on the network. The vulnerability's simplicity and lack of authentication make it a high-priority target for malicious actors, particularly those seeking to gain initial access to a network. The potential for widespread compromise is significant, especially in environments where AOMEI Cyber Backup is deployed without proper network segmentation or security controls.

Organizations utilizing AOMEI Cyber Backup, particularly those with direct internet exposure or lacking robust network segmentation, are at significant risk. Environments with legacy configurations or those relying on default settings for AOMEI Cyber Backup are especially vulnerable. Shared hosting environments where multiple users share the same server instance are also at increased risk.

• windows / supply-chain:

Get-Process -Name DaoService | Select-Object -ExpandProperty Path

• windows / supply-chain:

Get-WinEvent -LogName System -FilterXPath "*[System[Provider[@Name='Microsoft-Windows-Sysmon/Operational'] and EventID=1]]" -MaxEvents 10 | Where-Object {$_.Properties[0].Value -match 'DaoService'}

• generic web:

curl -I http://<target_ip>:9074/ | grep -i 'server'

1. 2025-08-20Disclosure

   disclosure

2. 2025-08-20Patch

   patch

1. आरक्षित2025-08-05
2. प्रकाशित2025-08-20
3. EPSS अद्यतन2026-03-23

The primary mitigation for CVE-2025-8611 is to immediately upgrade AOMEI Cyber Backup to version 3.7.1 or later. If upgrading is not immediately feasible, consider isolating affected systems from the network to prevent exploitation. Network firewalls can be configured to block inbound traffic to TCP port 9074. While a WAF is unlikely to directly mitigate this vulnerability, it could potentially detect and block malicious requests based on observed patterns. Monitor system logs for suspicious activity related to the DaoService, specifically looking for unauthorized process executions or network connections originating from the 9074 port. After upgrading, confirm the vulnerability is resolved by attempting to access the DaoService without authentication and verifying that access is denied.