Description
A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API.

This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions.
Published: 2025-07-02
Score: 7.3 High
EPSS: 7.0% Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

NSClient++ 0.5.2.35 stores the administrative password in plaintext in nsclient.ini, which is world‑readable for local users. An attacker who can read the file can extract the password, authenticate to the NSClient++ web interface that normally runs on port 8443, and then exploit the ExternalScripts plugin by registering a custom script. Once the script is registered and the configuration saved, the attacker can trigger it via the API, causing arbitrary command execution as SYSTEM. This flaw is a classic example of vulnerable credential storage (CWE‑522) leading to unchecked privilege escalation and complete system compromise.

Affected Systems

The vulnerability affects Windows systems running NSClient++ version 0.5.2.35. No other product versions are listed as affected. The issue arises when the web interface and ExternalScripts features are enabled in the configuration.

Risk and Exploitability

With a CVSS score of 7.3 the vulnerability is considered high severity, and an EPSS score of 7 % indicates a modest probability of exploitation. The flaw is reachable by any local user who can read files, so the attacker does not need network access. The exploit flow requires reading nsclient.ini, logging in via the web interface, and then abusing the ExternalScripts API to run commands as SYSTEM. Since the vulnerability is local and the information is well‑documented, it is likely to be employed by threat actors looking to gain elevated privileges on compromised Windows hosts.

Generated by OpenCVE AI on April 28, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official NSClient++ update if available to remove the plaintext password storage
  • If an update is not available, disable the ExternalScripts feature and/or the web interface in nsclient.ini to prevent unauthorized script registration
  • Restrict file permissions on nsclient.ini so that only the SYSTEM account can read it, and consider using a secure credential storage mechanism or a non‑plaintext password

Generated by OpenCVE AI on April 28, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19753 A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API. This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions.
History

Tue, 25 Nov 2025 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
CWE-312

Wed, 17 Sep 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Nsclient
Nsclient nsclient\+\+
Weaknesses CWE-522
CPEs cpe:2.3:a:nsclient:nsclient\+\+:0.5.2.35:*:*:*:*:*:*:*
Vendors & Products Nsclient
Nsclient nsclient\+\+
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 02 Jul 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 19:45:00 +0000

Type Values Removed Values Added
Description A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API. This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions.
Title NSClient++ 0.5.2.35 Local Privilege Escalation via ExternalScripts and Web Interface
Weaknesses CWE-269
CWE-312
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nsclient Nsclient\+\+
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:20.995Z

Reserved: 2025-04-15T19:15:22.550Z

Link: CVE-2025-34078

cve-icon Vulnrichment

Updated: 2025-07-02T20:31:57.950Z

cve-icon NVD

Status : Modified

Published: 2025-07-02T20:15:29.827

Modified: 2025-11-25T15:15:51.260

Link: CVE-2025-34078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T22:45:25Z

Weaknesses