CVE-2025-43596

An insecure file system permissions vulnerability in MSP360 Backup 8.0 allows a low privileged user to execute commands with SYSTEM level privileges using a specially crafted file with an arbitrary file backup target. Upgrade to MSP360 Backup 8.1.1.19 (released on 2025-05-15).

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://help.msp360.com/cloudberry-backup/security/admin-privileges	Product
https://help.msp360.com/cloudberry-backup/whats-new	Release Notes
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-119-01.json	Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-43596	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:msp360:backup:*:*:*:*:*:*:*:*

History

23 Sep 2025, 15:21

Type	Values Removed	Values Added
References	~~() https://help.msp360.com/cloudberry-backup/security/admin-privileges -~~	() https://help.msp360.com/cloudberry-backup/security/admin-privileges - Product
References	~~() https://help.msp360.com/cloudberry-backup/whats-new -~~	() https://help.msp360.com/cloudberry-backup/whats-new - Release Notes
References	~~() https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-119-01.json -~~	() https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-119-01.json - Third Party Advisory
References	~~() https://www.cve.org/CVERecord?id=CVE-2025-43596 -~~	() https://www.cve.org/CVERecord?id=CVE-2025-43596 - Third Party Advisory
CPE		cpe:2.3:a:msp360:backup::::::::
First Time		Msp360 backup Msp360

23 May 2025, 15:55

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de permisos del sistema de archivos inseguro en MSP360 Backup 8.0 permite a un usuario con pocos privilegios ejecutar comandos con privilegios de nivel SYSTEM utilizando un archivo especialmente manipulado con un destino de copia de seguridad arbitrario. Actualice a MSP360 Backup 8.1.1.19 (publicado el 15/05/2025).

22 May 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-22 17:15

Updated : 2025-09-23 15:21

NVD link : CVE-2025-43596

Mitre link : CVE-2025-43596

CVE.ORG link : CVE-2025-43596

JSON object : View

Products Affected

msp360

backup

CWE

CWE-276

Incorrect Default Permissions

7.8 /10