Name of the Vulnerable Software and Affected Versions:

Macrium Reflect versions through 2025-06-26

Description:

Macrium Reflect allows local attackers to execute arbitrary code with administrator privileges via a crafted `.mrimgx` backup file and a malicious `VSSSvr.dll` located in the same directory. When a user with administrative privileges mounts a backup by opening the `.mrimgx` file, Reflect loads the attacker's `VSSSvr.dll` after the mount completes. This occurs due to untrusted DLL search path behavior in `ReflectMonitor.exe`.

Recommendations:

Versions prior to 2025-06-26 should be updated.

As a temporary workaround, avoid opening `.mrimgx` backup files from untrusted sources.

Restrict access to the `ReflectMonitor.exe` file to minimize the risk of exploitation.