CVE-2025-34181
Unknown Unknown - Not Provided
Arbitrary File Write in NetSupport Manager Enables Remote Code Execution

Publication date: 2025-12-15

Last updated on: 2025-12-15

Assigner: VulnCheck

Description
NetSupport Manager < 14.12.0001 contains an arbitrary file write vulnerability in its Connectivity Server/Gateway PUTFILE request handler. An attacker with a valid Gateway Key can supply a crafted filename containing directory traversal sequences to write files to arbitrary locations on the server. This can be leveraged to place attacker-controlled DLLs or executables in privileged paths and achieve remote code execution in the context of the NetSupport Manager connectivity service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-15
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34181
EUVD
EUVD-2025-203378
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netsupport netsupport_manager <14.12.0001
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-34181 is an authenticated path traversal vulnerability in NetSupport Manager versions prior to 14.12.0001, specifically in the Connectivity Server/Gateway PUTFILE request handler. An attacker with a valid Gateway Key can supply a crafted filename containing directory traversal sequences to write files to arbitrary locations on the server. This allows placing malicious DLLs or executables in privileged paths, leading to remote code execution within the NetSupport Manager connectivity service. [2]

Impact Analysis

This vulnerability can allow an attacker with a valid Gateway Key to write arbitrary files, including malicious DLLs or executables, to privileged locations on the server. This can lead to remote code execution, compromising the server's confidentiality, integrity, and availability, and potentially allowing full control over the affected system. [2]

Mitigation Strategies

To mitigate CVE-2025-34181, immediately upgrade all NetSupport Manager components (Gateways, Controls, and Clients) to version 14.12.0001 or later. For Gateway Servers running vulnerable versions (12.70 to 12.80 and 14.00 to 14.10), apply the updates 12.80.0015 or 14.10.0005 respectively. After updating, if a Gateway Key compromise is suspected, generate and apply a new Gateway Key and migrate all Clients and Controls to use the new key. Also, update any Active Directory or Intune policies to replace old encrypted Gateway Key values with the new AES-encrypted keys as per the updated policy paths. Follow the installation instructions using the full installer and license files, and consider contacting NetSupport Technical Support for Gateway Load Balancing environments. [1]

Detection Guidance

Detection of CVE-2025-34181 involves monitoring for unauthorized PUTFILE requests to the NetSupport Gateway server, which listens on TCP port 443. Since exploitation requires a valid Gateway Key, suspicious activity may include unusual PUTFILE commands containing directory traversal sequences in filenames. Network traffic capture tools like Wireshark or tcpdump can be used to inspect HTTP requests to the Gateway server for such patterns. Additionally, checking for unexpected files or DLLs placed in privileged directories (e.g., C:\Windows\System32\symsrv.dll) can indicate exploitation attempts. While no specific detection commands are provided in the resources, administrators can use commands to monitor network connections and file system changes, such as: 1. Using PowerShell to monitor file creation in sensitive directories: ```powershell Get-ChildItem -Path C:\Windows\System32\ -Filter symsrv.dll -Recurse -ErrorAction SilentlyContinue ``` 2. Using netstat to check for active connections on port 443: ```bash netstat -an | findstr :443 ``` 3. Using network capture tools to filter HTTP PUTFILE requests to the Gateway server. It is also recommended to verify the version of NetSupport Manager Gateway component and ensure it is updated to 14.12.0001 or later to mitigate this vulnerability. [2, 3, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34181. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart