CVE-2025-34078

NSClient++ 0.5.2.35 Local Privilege Escalation via ExternalScripts and Web Interface

Severity Score

7.3

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API. This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions.

*Credits: kindredsec, BZYO, Yann Castel

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

Low

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

High

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-04-15 CVE Reserved
2025-07-02 CVE Published
2025-07-02 CVE Updated
2025-07-02 First Exploit
2025-07-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-269: Improper Privilege Management
CWE-312: Cleartext Storage of Sensitive Information

CAPEC

CAPEC-115: Authentication Bypass
CAPEC-137: Parameter Injection
CAPEC-233: Privilege Escalation

References (4)

URL	Tag	Source
https://vulncheck.com/advisories/nsclient-localtoremote-system-compromise	Third Party Advisory

URL	Date	SRC
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/local/nscp_pe.rb	2025-07-02
https://www.exploit-db.com/exploits/46802	2025-07-02
https://www.exploit-db.com/exploits/48360	2025-07-02

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
NSClient++ Search vendor "NSClient++"		NSClient++ Search vendor "NSClient++" for product "NSClient++"				0.5.2.35 Search vendor "NSClient++" for product "NSClient++" and version "0.5.2.35"		en		Affected