CVE-2025-34078

HIGH

NSClient++ <0.5.2.35 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-34078. PoCs published by kindredsec, bzyo, kindredsec, BZYO, including Metasploit module exploits/windows/local/nscp_pe.

AI-analyzed exploit summary This exploit leverages authenticated access to NSClient++'s external scripts feature to achieve remote code execution (RCE) by adding a malicious script, saving the configuration, and triggering execution. The exploit handles authentication, configuration updates, and application reloads to ensure payload execution.

Description

A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API. This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions.

Exploits (3)

exploitdb WORKING POC
by kindredsec · textwebappsjson
https://www.exploit-db.com/exploits/48360

This exploit leverages authenticated access to NSClient++'s external scripts feature to achieve remote code execution (RCE) by adding a malicious script, saving the configuration, and triggering execution. The exploit handles authentication, configuration updates, and application reloads to ensure payload execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NSClient++ 0.5.2.35
Auth required
Prerequisites: Valid administrative credentials for NSClient++ · External Scripts module enabled or ability to enable it · Network access to the NSClient++ web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by bzyo · textlocalwindows
https://www.exploit-db.com/exploits/46802

This exploit demonstrates a privilege escalation vulnerability in NSClient++ 0.5.2.35 by reading the cleartext web administrator password from the configuration file, enabling external script execution, and scheduling a malicious script to run as Local System.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: NSClient++ 0.5.2.35
Auth required
Prerequisites: Local access to the system · NSClient++ with Web Server enabled · Low privileged user account · Ability to reboot the system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by kindredsec, BZYO · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/nscp_pe.rb

This Metasploit module exploits CVE-2025-34078 in NSClient++ 0.5.2.35 by leveraging the ExternalScripts feature and a cleartext admin password in the config file to achieve privilege escalation via a crafted PowerShell payload.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: NSClient++ 0.5.2.35
Auth required
Prerequisites: Unprivileged Windows account · NSClient++ web interface enabled · ExternalScripts feature enabled · Access to NSClient config file
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, VDB Entry exploit
https://www.exploit-db.com/exploits/48360
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/46802
Exploit, Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/nsclient-localtoremote-system-compromise

Scores

CVSS v3 7.8
EPSS 0.0050
EPSS Percentile 38.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-522
Status published
Products (2)
nsclient/nsclient\+\+ 0.5.2.35
NSClient++/NSClient++ 0.5.2.35
Published Jul 02, 2025
Tracked Since Feb 18, 2026