CVE-2025-34078

HIGH

NSClient++ <0.5.2.35 - Privilege Escalation

Title source: llm

Description

A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API. This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions.

Exploits (3)

exploitdb WORKING POC

by kindredsec · textwebappsjson

https://www.exploit-db.com/exploits/48360

View Code ZIP pw:eip

exploitdb WORKING POC

by bzyo · textlocalwindows

https://www.exploit-db.com/exploits/46802

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by kindredsec, BZYO · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/nscp_pe.rb

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/local/nscp_pe.rb

[Exploit, Third Party Advisory] https://vulncheck.com/advisories/nsclient-localtoremote-system-compromise

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/46802

[Exploit, VDB Entry] https://www.exploit-db.com/exploits/48360

Scores

CVSS v3 7.8

EPSS 0.0277

EPSS Percentile 86.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-522

Status published

Products (2)

nsclient/nsclient\+\+ 0.5.2.35

NSClient++/NSClient++ 0.5.2.35

Published Jul 02, 2025

Tracked Since Feb 18, 2026