CVE-2025-34079

HIGH

NSClient++ <0.5.2.35 - Authenticated RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-34079. PoCs published by kindredsec, including Metasploit module exploits/windows/http/nscp_authenticated_rce.

AI-analyzed exploit summary This exploit leverages authenticated access to NSClient++'s external scripts feature to achieve remote code execution (RCE) by adding a malicious script, saving the configuration, and triggering execution. The exploit handles authentication, configuration updates, and application reloads to ensure payload execution.

Description

An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise. This capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors.

Exploits (2)

exploitdb WORKING POC

by kindredsec · textwebappsjson

https://www.exploit-db.com/exploits/48360

View Code ZIP pw:eip

This exploit leverages authenticated access to NSClient++'s external scripts feature to achieve remote code execution (RCE) by adding a malicious script, saving the configuration, and triggering execution. The exploit handles authentication, configuration updates, and application reloads to ensure payload execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: NSClient++ 0.5.2.35

Auth required

Prerequisites: Valid administrative credentials for NSClient++ · External Scripts module enabled or ability to enable it · Network access to the NSClient++ web interface

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by kindredsec · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/nscp_authenticated_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated RCE vulnerability in NSClient++ 0.5.2.35 by configuring an external script via the web interface and triggering it to execute a PowerShell payload. It requires valid admin credentials and the ExternalScripts feature to be enabled.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: NSClient++ 0.5.2.35

Auth required

Prerequisites: Admin password for NSClient++ web interface · ExternalScripts feature enabled · Web interface accessible

MITRE ATT&CK

T1021 - Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/nscp_authenticated_rce.rb

Exploit, VDB Entry exploit

https://www.exploit-db.com/exploits/48360

Exploit, Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/nsclient-localtoremote-system-compromise

Scores

CVSS v3 7.8

EPSS 0.7309

EPSS Percentile 98.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-306 CWE-94

Status published

Products (2)

nsclient/nsclient\+\+ 0.5.2.35

NSClient++/NSClient++ 0.5.2.35

Published Jul 02, 2025

Tracked Since Feb 18, 2026