Search criteria
9 vulnerabilities found for nsclient\+\+ by nsclient
FKIE_CVE-2025-34079
Vulnerability from fkie_nvd - Published: 2025-07-02 20:15 - Updated: 2025-09-16 19:53
Severity ?
Summary
An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise.
This capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nsclient | nsclient\+\+ | 0.5.2.35 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nsclient:nsclient\\+\\+:0.5.2.35:*:*:*:*:*:*:*",
"matchCriteriaId": "602E0CAC-528A-4B90-9F2E-B8E11BCABE55",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise.\n\nThis capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo autenticada en NSClient++ versi\u00f3n 0.5.2.35 cuando la interfaz web y el m\u00f3dulo ExternalScripts est\u00e1n habilitados. Un atacante remoto con la contrase\u00f1a de administrador puede autenticarse en la interfaz web (puerto predeterminado 8443), inyectar comandos arbitrarios como scripts externos mediante la API /settings/query.json, guardar la configuraci\u00f3n y ejecutar el script mediante el endpoint /query/{name}. Los comandos inyectados se ejecutan con privilegios de sistema, lo que permite una vulneraci\u00f3n remota completa. Esta funci\u00f3n es una funci\u00f3n prevista, pero la falta de protecciones o separaci\u00f3n de privilegios la hace peligrosa al exponerse a actores no confiables."
}
],
"id": "CVE-2025-34079",
"lastModified": "2025-09-16T19:53:27.970",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-07-02T20:15:29.963",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/nscp_authenticated_rce.rb"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://vulncheck.com/advisories/nsclient-localtoremote-system-compromise"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Exploit",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/48360"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
},
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-34078
Vulnerability from fkie_nvd - Published: 2025-07-02 20:15 - Updated: 2025-11-25 15:15
Severity ?
Summary
A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API.
This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/local/nscp_pe.rb | Exploit, Third Party Advisory | |
| disclosure@vulncheck.com | https://vulncheck.com/advisories/nsclient-localtoremote-system-compromise | Exploit, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.exploit-db.com/exploits/46802 | Exploit, Third Party Advisory, VDB Entry | |
| disclosure@vulncheck.com | https://www.exploit-db.com/exploits/48360 | Exploit, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nsclient | nsclient\+\+ | 0.5.2.35 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nsclient:nsclient\\+\\+:0.5.2.35:*:*:*:*:*:*:*",
"matchCriteriaId": "602E0CAC-528A-4B90-9F2E-B8E11BCABE55",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API.\n\nThis behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de escalada de privilegios local en NSClient++ 0.5.2.35 cuando tanto la interfaz web como las funciones de ExternalScripts est\u00e1n habilitadas. El archivo de configuraci\u00f3n (nsclient.ini) almacena la contrase\u00f1a administrativa en texto plano y es legible para los usuarios locales. Al extraer esta contrase\u00f1a, un atacante puede autenticarse en la interfaz web de NSClient++ (normalmente accesible en el puerto 8443) y abusar del complemento ExternalScripts para inyectar y ejecutar comandos arbitrarios como SYSTEM. Para ello, registra un script personalizado, guarda la configuraci\u00f3n y lo activa mediante la API. Este comportamiento est\u00e1 documentado, pero es inseguro, ya que la exposici\u00f3n de las credenciales en texto plano vulnera el aislamiento de acceso entre los usuarios locales y las funciones administrativas."
}
],
"id": "CVE-2025-34078",
"lastModified": "2025-11-25T15:15:51.260",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-07-02T20:15:29.827",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/local/nscp_pe.rb"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://vulncheck.com/advisories/nsclient-localtoremote-system-compromise"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46802"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Exploit",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/48360"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-6384
Vulnerability from fkie_nvd - Published: 2018-01-31 16:29 - Updated: 2024-11-21 04:10
Severity ?
Summary
Unquoted Windows search path vulnerability in NSClient++ before 0.4.1.73 allows non-privileged local users to execute arbitrary code with elevated privileges on the system via a malicious program.exe executable in the %SYSTEMDRIVE% folder.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nsclient | nsclient\+\+ | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nsclient:nsclient\\+\\+:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BF8C2F42-BB99-4294-8B43-ECC2F78A3629",
"versionEndExcluding": "0.4.1.73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unquoted Windows search path vulnerability in NSClient++ before 0.4.1.73 allows non-privileged local users to execute arbitrary code with elevated privileges on the system via a malicious program.exe executable in the %SYSTEMDRIVE% folder."
},
{
"lang": "es",
"value": "Vulnerabilidad de ruta de b\u00fasqueda no entrecomillada en Windows en NSClient++, en versiones anteriores a la 0.4.1.73, permite que usuarios locales no privilegiados ejecuten c\u00f3digo arbitrario con privilegios elevados en el sistema mediante un ejecutable program.exe malicioso en la carpeta %SYSTEMDRIVE%."
}
],
"id": "CVE-2018-6384",
"lastModified": "2024-11-21T04:10:36.517",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-31T16:29:00.307",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://nsclient.org/blog/2018/01/30/CVE-2018-6384-0.3.9/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_nsclient_-_cve-2018-6384.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://nsclient.org/blog/2018/01/30/CVE-2018-6384-0.3.9/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_nsclient_-_cve-2018-6384.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-428"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-34079 (GCVE-0-2025-34079)
Vulnerability from cvelistv5 – Published: 2025-07-02 19:27 – Updated: 2025-11-29 15:29
VLAI?
Title
NSClient++ Authenticated Remote Code Execution via ExternalScripts API
Summary
An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise.
This capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NSClient++ | NSClient++ |
Affected:
0.5.2.35
|
Credits
kindredsec
Yann Castel
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34079",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-02T19:42:25.275157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-02T19:42:36.021Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"ExternalScripts",
"/settings/query.json",
"/query/{name}"
],
"platforms": [
"Windows",
"64 bit"
],
"product": "NSClient++",
"vendor": "NSClient++",
"versions": [
{
"status": "affected",
"version": "0.5.2.35"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nsclient:nsclient\\+\\+:0.5.2.35:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "kindredsec"
},
{
"lang": "en",
"type": "finder",
"value": "Yann Castel"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and \u003ccode\u003eExternalScripts\u003c/code\u003e module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the \u003ccode\u003e/settings/query.json\u003c/code\u003e API, save the configuration, and trigger the script via the \u003ccode\u003e/query/{name}\u003c/code\u003e endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise.\u003cbr\u003e\u003cbr\u003eThis capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors.\u003cbr\u003e"
}
],
"value": "An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise.\n\nThis capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
},
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-29T15:29:40.047Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/nscp_authenticated_rce.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48360"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/nsclient-localtoremote-system-compromise"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "NSClient++ Authenticated Remote Code Execution via ExternalScripts API",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34079",
"datePublished": "2025-07-02T19:27:41.046Z",
"dateReserved": "2025-04-15T19:15:22.550Z",
"dateUpdated": "2025-11-29T15:29:40.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34078 (GCVE-0-2025-34078)
Vulnerability from cvelistv5 – Published: 2025-07-02 19:27 – Updated: 2025-11-29 15:28
VLAI?
Title
NSClient++ 0.5.2.35 Local Privilege Escalation via ExternalScripts and Web Interface
Summary
A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API.
This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions.
Severity ?
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NSClient++ | NSClient++ |
Affected:
0.5.2.35
|
Credits
kindredsec
BZYO
Yann Castel
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34078",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-02T20:31:46.133395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-02T20:32:01.677Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"ExternalScripts",
"nsclient.ini",
"/settings/query.json"
],
"platforms": [
"Windows",
"64 bit"
],
"product": "NSClient++",
"vendor": "NSClient++",
"versions": [
{
"status": "affected",
"version": "0.5.2.35"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nsclient:nsclient\\+\\+:0.5.2.35:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nsclient:nsclient\\+\\+:0.5.2.35:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "kindredsec"
},
{
"lang": "en",
"type": "finder",
"value": "BZYO"
},
{
"lang": "en",
"type": "finder",
"value": "Yann Castel"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and \u003ccode\u003eExternalScripts\u003c/code\u003e features are enabled. The configuration file (\u003ccode\u003ensclient.ini\u003c/code\u003e) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the \u003ccode\u003eExternalScripts\u003c/code\u003e plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API.\u003cbr\u003e\u003cbr\u003eThis behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions.\u003cbr\u003e"
}
],
"value": "A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API.\n\nThis behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-29T15:28:45.957Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/local/nscp_pe.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48360"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46802"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/nsclient-localtoremote-system-compromise"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "NSClient++ 0.5.2.35 Local Privilege Escalation via ExternalScripts and Web Interface",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34078",
"datePublished": "2025-07-02T19:27:26.073Z",
"dateReserved": "2025-04-15T19:15:22.550Z",
"dateUpdated": "2025-11-29T15:28:45.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-6384 (GCVE-0-2018-6384)
Vulnerability from cvelistv5 – Published: 2018-01-31 16:00 – Updated: 2024-08-05 06:01
VLAI?
Summary
Unquoted Windows search path vulnerability in NSClient++ before 0.4.1.73 allows non-privileged local users to execute arbitrary code with elevated privileges on the system via a malicious program.exe executable in the %SYSTEMDRIVE% folder.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:01:49.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_nsclient_-_cve-2018-6384.pdf"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nsclient.org/blog/2018/01/30/CVE-2018-6384-0.3.9/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unquoted Windows search path vulnerability in NSClient++ before 0.4.1.73 allows non-privileged local users to execute arbitrary code with elevated privileges on the system via a malicious program.exe executable in the %SYSTEMDRIVE% folder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-22T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_nsclient_-_cve-2018-6384.pdf"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nsclient.org/blog/2018/01/30/CVE-2018-6384-0.3.9/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6384",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unquoted Windows search path vulnerability in NSClient++ before 0.4.1.73 allows non-privileged local users to execute arbitrary code with elevated privileges on the system via a malicious program.exe executable in the %SYSTEMDRIVE% folder."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_nsclient_-_cve-2018-6384.pdf",
"refsource": "MISC",
"url": "https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_nsclient_-_cve-2018-6384.pdf"
},
{
"name": "https://nsclient.org/blog/2018/01/30/CVE-2018-6384-0.3.9/",
"refsource": "CONFIRM",
"url": "https://nsclient.org/blog/2018/01/30/CVE-2018-6384-0.3.9/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6384",
"datePublished": "2018-01-31T16:00:00",
"dateReserved": "2018-01-29T00:00:00",
"dateUpdated": "2024-08-05T06:01:49.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34079 (GCVE-0-2025-34079)
Vulnerability from nvd – Published: 2025-07-02 19:27 – Updated: 2025-11-29 15:29
VLAI?
Title
NSClient++ Authenticated Remote Code Execution via ExternalScripts API
Summary
An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise.
This capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NSClient++ | NSClient++ |
Affected:
0.5.2.35
|
Credits
kindredsec
Yann Castel
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34079",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-02T19:42:25.275157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-02T19:42:36.021Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"ExternalScripts",
"/settings/query.json",
"/query/{name}"
],
"platforms": [
"Windows",
"64 bit"
],
"product": "NSClient++",
"vendor": "NSClient++",
"versions": [
{
"status": "affected",
"version": "0.5.2.35"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nsclient:nsclient\\+\\+:0.5.2.35:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "kindredsec"
},
{
"lang": "en",
"type": "finder",
"value": "Yann Castel"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and \u003ccode\u003eExternalScripts\u003c/code\u003e module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the \u003ccode\u003e/settings/query.json\u003c/code\u003e API, save the configuration, and trigger the script via the \u003ccode\u003e/query/{name}\u003c/code\u003e endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise.\u003cbr\u003e\u003cbr\u003eThis capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors.\u003cbr\u003e"
}
],
"value": "An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise.\n\nThis capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
},
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-29T15:29:40.047Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/nscp_authenticated_rce.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48360"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/nsclient-localtoremote-system-compromise"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "NSClient++ Authenticated Remote Code Execution via ExternalScripts API",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34079",
"datePublished": "2025-07-02T19:27:41.046Z",
"dateReserved": "2025-04-15T19:15:22.550Z",
"dateUpdated": "2025-11-29T15:29:40.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34078 (GCVE-0-2025-34078)
Vulnerability from nvd – Published: 2025-07-02 19:27 – Updated: 2025-11-29 15:28
VLAI?
Title
NSClient++ 0.5.2.35 Local Privilege Escalation via ExternalScripts and Web Interface
Summary
A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API.
This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions.
Severity ?
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NSClient++ | NSClient++ |
Affected:
0.5.2.35
|
Credits
kindredsec
BZYO
Yann Castel
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34078",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-02T20:31:46.133395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-02T20:32:01.677Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"ExternalScripts",
"nsclient.ini",
"/settings/query.json"
],
"platforms": [
"Windows",
"64 bit"
],
"product": "NSClient++",
"vendor": "NSClient++",
"versions": [
{
"status": "affected",
"version": "0.5.2.35"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nsclient:nsclient\\+\\+:0.5.2.35:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nsclient:nsclient\\+\\+:0.5.2.35:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "kindredsec"
},
{
"lang": "en",
"type": "finder",
"value": "BZYO"
},
{
"lang": "en",
"type": "finder",
"value": "Yann Castel"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and \u003ccode\u003eExternalScripts\u003c/code\u003e features are enabled. The configuration file (\u003ccode\u003ensclient.ini\u003c/code\u003e) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the \u003ccode\u003eExternalScripts\u003c/code\u003e plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API.\u003cbr\u003e\u003cbr\u003eThis behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions.\u003cbr\u003e"
}
],
"value": "A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API.\n\nThis behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-29T15:28:45.957Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/local/nscp_pe.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48360"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46802"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/nsclient-localtoremote-system-compromise"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "NSClient++ 0.5.2.35 Local Privilege Escalation via ExternalScripts and Web Interface",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34078",
"datePublished": "2025-07-02T19:27:26.073Z",
"dateReserved": "2025-04-15T19:15:22.550Z",
"dateUpdated": "2025-11-29T15:28:45.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-6384 (GCVE-0-2018-6384)
Vulnerability from nvd – Published: 2018-01-31 16:00 – Updated: 2024-08-05 06:01
VLAI?
Summary
Unquoted Windows search path vulnerability in NSClient++ before 0.4.1.73 allows non-privileged local users to execute arbitrary code with elevated privileges on the system via a malicious program.exe executable in the %SYSTEMDRIVE% folder.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:01:49.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_nsclient_-_cve-2018-6384.pdf"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nsclient.org/blog/2018/01/30/CVE-2018-6384-0.3.9/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unquoted Windows search path vulnerability in NSClient++ before 0.4.1.73 allows non-privileged local users to execute arbitrary code with elevated privileges on the system via a malicious program.exe executable in the %SYSTEMDRIVE% folder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-22T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_nsclient_-_cve-2018-6384.pdf"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nsclient.org/blog/2018/01/30/CVE-2018-6384-0.3.9/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6384",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unquoted Windows search path vulnerability in NSClient++ before 0.4.1.73 allows non-privileged local users to execute arbitrary code with elevated privileges on the system via a malicious program.exe executable in the %SYSTEMDRIVE% folder."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_nsclient_-_cve-2018-6384.pdf",
"refsource": "MISC",
"url": "https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_nsclient_-_cve-2018-6384.pdf"
},
{
"name": "https://nsclient.org/blog/2018/01/30/CVE-2018-6384-0.3.9/",
"refsource": "CONFIRM",
"url": "https://nsclient.org/blog/2018/01/30/CVE-2018-6384-0.3.9/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6384",
"datePublished": "2018-01-31T16:00:00",
"dateReserved": "2018-01-29T00:00:00",
"dateUpdated": "2024-08-05T06:01:49.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}