Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local-only attack against an installed kernel driver requires an existing low-privileged session (AV:L, PR:L, AC:L, UI:N); successful exploitation yields full kernel/SYSTEM impact (C:H/I:H/A:H, scope unchanged).
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was determined in AOMEI Backupper up to 8.3.0. Impacted is an unknown function in the library amwrtdrv.sys of the component Kernel Driver. Executing a manipulation can lead to improper access controls. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Local privilege escalation in AOMEI Backupper through 8.3.0 stems from improper access controls in the bundled kernel driver amwrtdrv.sys, allowing an authenticated local user to abuse driver IOCTLs and escalate privileges. Publicly available exploit code exists for this issue, and the vendor was contacted but has not responded, leaving customers without an official fix. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local code execution on a Windows endpoint that has AOMEI Backupper 8.0-8.3.0 installed with its amwrtdrv.sys kernel driver loaded, and the attacker must already hold at least an unprivileged interactive or service account on that host (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:L/AC:L/AT:N/PR:L/UI:N with VC:H/VI:H/VA:H and E:P (proof-of-concept) accurately characterizes a local privilege-escalation issue: an attacker must already execute code on the host as a normal user, but exploitation is low-complexity and yields full confidentiality, integrity, and availability impact (effectively SYSTEM/kernel). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained low-privileged code execution on a Windows host running AOMEI Backupper (for example, via a phishing payload running as a standard user) opens a handle to the amwrtdrv.sys device object and issues the IOCTLs documented in the public PoC to perform arbitrary kernel reads/writes or to overwrite a privileged process token, elevating the current process to NT AUTHORITY\SYSTEM. The publicly disclosed write-up provides the technique and primitives, so weaponization effort is low for any actor already on the box. |
| Remediation | No vendor-released patch identified at time of analysis, as the vendor was contacted early but did not respond. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running AOMEI Backupper 8.3.0 and earlier; restrict local user account creation and service account privileges on affected systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38145
GHSA-6373-275m-34g3