CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-34079 – NSClient++ Authenticated Remote Code Execution via ExternalScripts API
https://notcve.org/view.php?id=CVE-2025-34079
02 Jul 2025 — An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise... • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/nscp_authenticated_rce.rb • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 3CVE-2025-34078 – NSClient++ 0.5.2.35 Local Privilege Escalation via ExternalScripts and Web Interface
https://notcve.org/view.php?id=CVE-2025-34078
02 Jul 2025 — A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, savin... • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/local/nscp_pe.rb • CWE-269: Improper Privilege Management CWE-312: Cleartext Storage of Sensitive Information •