CVE Alert: CVE-2025-12247 – Hasleo – Backup Suite

Risk verdict

High risk of local compromise due to a publicly available exploit targeting the Hasleo Backup Suite component; exploitation requires local access with low privileges and no user interaction, so patching should be treated with urgency.

Why this matters

Compromise of backup infrastructure can enable backup tampering, data exfiltration, or ransomware deployment with broad impact on recovery assurance. The vulnerable path is a service binary with unquoted search path, giving an attacker reliable foothold and potential privilege elevation to high-integrity/availability-critical components.

Most likely attack path

Attacker requires local access, no user interaction, and low privileges; they weaponise an unquoted search path within the service binary to hijack execution. The service runs with high rights, enabling immediate reach to backup data and system-level control, with high impact to confidentiality, integrity and availability. Public exploit availability reduces time-to-weaponisation and broadens the attacker pool.

Who is most exposed

Windows endpoints where Hasleo Backup Suite is deployed—common in SMEs and enterprise workstations/servers running backup workflows—are at risk, especially where the service runs with elevated rights and unquoted path configurations.

Detection ideas

• Monitor for service creation/ modification events involving HasleoImageMountService/HasleoBackupSuiteService with unquoted or space-containing image paths.
• Look for suspicious process creations launching from non-standard directories before backup operations.
• Sysmon/Event logs: unusual process trees around backup services; unexpected binary replacements in the backup suite folder.
• Anomalous binary path changes to the Hasleo service executables.
• IOCs from CTI feeds indicating unquoted search paths in backup-related services.

Mitigation and prioritisation

• Patch to the latest available version; confirm patch applicability and test in a staging environment before rollout.
• Validate and correct service paths (ensure quotes and standard paths; remove unquoted search paths).
• Apply least privilege for the backup services; consider Application Control/WHITELIST to block tampering.
• Deploy endpoint detection and response coverage for process creation and service changes around backup components.
• If KEV flag is true or EPSS ≥ 0.5, treat as priority 1; otherwise priority 2 with scheduled remediation. Change-management: plan a coordinated update window and verify backups post-patch.