CVE-2025-34079

HIGH

NSClient++ <0.5.2.35 - Authenticated RCE

Title source: llm

Description

An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise. This capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors.

Exploits (2)

exploitdb WORKING POC

by kindredsec · textwebappsjson

https://www.exploit-db.com/exploits/48360

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by kindredsec · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/nscp_authenticated_rce.rb

View Code ZIP pw:eip

References (3)

[Exploit] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/nscp_authenticated_rce.rb

[Exploit, Third Party Advisory] https://vulncheck.com/advisories/nsclient-localtoremote-system-compromise

[Exploit, VDB Entry] https://www.exploit-db.com/exploits/48360

Scores

CVSS v3 7.8

EPSS 0.5595

EPSS Percentile 98.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-306 CWE-94

Status published

Products (2)

nsclient/nsclient\+\+ 0.5.2.35

NSClient++/NSClient++ 0.5.2.35

Published Jul 02, 2025

Tracked Since Feb 18, 2026