CVE-2025-34079
BaseFortify
Publication date: 2025-07-02
Last updated on: 2025-09-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nsclient | nsclient\+\+ | 0.5.2.35 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated remote code execution (RCE) flaw in NSClient++ version 0.5.2.35. When the web interface and ExternalScripts module are enabled, an attacker who knows the administrator password can authenticate to the web interface and inject arbitrary commands as external scripts via the /settings/query.json API. These commands are saved and then triggered through the /query/{name} endpoint, executing with SYSTEM privileges. This allows full remote compromise of the system. The vulnerability arises because there are no safeguards or privilege separation to prevent misuse of this intended feature. [2, 3]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with the administrator password to execute arbitrary commands on the affected system with SYSTEM-level privileges. This means the attacker can fully compromise the system remotely, potentially leading to complete control over the machine, data theft, disruption of services, or further attacks within the network. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if NSClient++ version 0.5.2.35 is running with both the web interface (default port 8443) and the ExternalScripts module enabled. You can check if the service is listening on port 8443 and test access to the web interface endpoints. For example, use curl or similar tools to authenticate and query the /registry/control/module/load endpoint to confirm if the ExternalScripts module is loaded. Commands to check might include: 1) curl -k -X POST https://<target>:8443/auth/token -d '{"password":"<admin_password>"}' to obtain an auth token; 2) curl -k -H 'X-Auth-Token: <token>' https://<target>:8443/registry/control/module/load?module=CheckExternalScripts to verify if the module is enabled; 3) Monitor logs or network traffic for suspicious POST requests to /settings/query.json or GET requests to /query/{script_name} endpoints which may indicate exploitation attempts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Disable the NSClient++ web interface if it is not required, especially the ExternalScripts module; 2) Restrict network access to port 8443 to trusted administrators only; 3) Change the administrator password to a strong, unique value; 4) Apply any available patches or updates from NSClient++ that address this vulnerability; 5) Monitor and audit NSClient++ logs for unauthorized configuration changes or script executions; 6) If possible, implement network segmentation or firewall rules to limit exposure of the NSClient++ service to untrusted networks. [2, 3]