CVE-2025-34078

UNKNOWN 0.0

NSClient++ 0.5.2.35 Local Privilege Escalation via ExternalScripts and Web Interface

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API. This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions.

CWE	CWE-522
Vendor	nsclient++
Product	nsclient++
Published	Jul 2, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for nsclient++ nsclient++

Be the first to know when new unknown vulnerabilities affecting nsclient++ nsclient++ are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

NSClient++ / NSClient++

0.5.2.35

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/local/nscp_pe.rb exploit-db.com: https://www.exploit-db.com/exploits/48360 exploit-db.com: https://www.exploit-db.com/exploits/46802 vulncheck.com: https://vulncheck.com/advisories/nsclient-localtoremote-system-compromise

Credits

kindredsec BZYO Yann Castel