CVE-2025-34181
Arbitrary File Write in NetSupport Manager Enables Remote Code Execution
Publication date: 2025-12-15
Last updated on: 2025-12-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netsupport | netsupport_manager | <14.12.0001 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-34181 is an authenticated path traversal vulnerability in NetSupport Manager versions prior to 14.12.0001, specifically in the Connectivity Server/Gateway PUTFILE request handler. An attacker with a valid Gateway Key can supply a crafted filename containing directory traversal sequences to write files to arbitrary locations on the server. This allows placing malicious DLLs or executables in privileged paths, leading to remote code execution within the NetSupport Manager connectivity service. [2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with a valid Gateway Key to write arbitrary files, including malicious DLLs or executables, to privileged locations on the server. This can lead to remote code execution, compromising the server's confidentiality, integrity, and availability, and potentially allowing full control over the affected system. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-34181, immediately upgrade all NetSupport Manager components (Gateways, Controls, and Clients) to version 14.12.0001 or later. For Gateway Servers running vulnerable versions (12.70 to 12.80 and 14.00 to 14.10), apply the updates 12.80.0015 or 14.10.0005 respectively. After updating, if a Gateway Key compromise is suspected, generate and apply a new Gateway Key and migrate all Clients and Controls to use the new key. Also, update any Active Directory or Intune policies to replace old encrypted Gateway Key values with the new AES-encrypted keys as per the updated policy paths. Follow the installation instructions using the full installer and license files, and consider contacting NetSupport Technical Support for Gateway Load Balancing environments. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-34181 involves monitoring for unauthorized PUTFILE requests to the NetSupport Gateway server, which listens on TCP port 443. Since exploitation requires a valid Gateway Key, suspicious activity may include unusual PUTFILE commands containing directory traversal sequences in filenames. Network traffic capture tools like Wireshark or tcpdump can be used to inspect HTTP requests to the Gateway server for such patterns. Additionally, checking for unexpected files or DLLs placed in privileged directories (e.g., C:\Windows\System32\symsrv.dll) can indicate exploitation attempts. While no specific detection commands are provided in the resources, administrators can use commands to monitor network connections and file system changes, such as: 1. Using PowerShell to monitor file creation in sensitive directories: ```powershell Get-ChildItem -Path C:\Windows\System32\ -Filter symsrv.dll -Recurse -ErrorAction SilentlyContinue ``` 2. Using netstat to check for active connections on port 443: ```bash netstat -an | findstr :443 ``` 3. Using network capture tools to filter HTTP PUTFILE requests to the Gateway server. It is also recommended to verify the version of NetSupport Manager Gateway component and ensure it is updated to 14.12.0001 or later to mitigate this vulnerability. [2, 3, 1]