CVE-2025-34079
published 2025-07-02CVE-2025-34079: An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A…
PriorityP353high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.28%
66.3th percentile
An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise.
This capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nsclient | nsclient | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP/HTTPS POST requests to /settings/query.json on port 8443 from external or untrusted sources, especially those containing script injection payloads in the request body. ↗
- →Alert on processes spawned by NSClient++ (nscp.exe or similar) that execute with SYSTEM privileges following a web interface interaction, particularly cmd.exe or powershell.exe child processes. ↗
- →Detect exploitation attempts using the Metasploit module exploits/windows/http/nscp_authenticated_rce targeting NSClient++ web interface on port 8443. ↗
- →Flag any GET requests to /query/<name> endpoints on port 8443 that follow recent POST activity to /settings/query.json, as this two-step pattern is characteristic of the exploit chain. ↗
- ·The ExternalScripts feature must be enabled alongside the web interface for this vulnerability to be exploitable. Disabling either mitigates the attack surface. ↗
- ·This capability is described as an intended feature of NSClient++; the risk arises specifically when the web interface is exposed to untrusted actors without privilege separation. ↗
- ·Exploitation requires knowledge of the administrator password; credential hygiene and restricting web interface access are critical mitigating controls. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.5HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-07-02
Published