CVE-2025-34252 - Vulnerability Details

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. This vulnerability has been reassigned as CVE-2017-20203 ( https://www.cve.org/CVERecord?id=CVE-2017-20203 ) to have the year of the CVE correspond to the year of public disclosure.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Netsarang	Xftp Xlpd Xmanager Xmanager Enterprise Xshell

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Netsarang	Xftp Xlpd Xmanager Xmanager Enterprise Xshell

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

No reference.

History

Thu, 09 Oct 2025 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-506
References	https://securelist.com/shadowpad-in-corporate-networks/81432/ https://usa.kaspersky.com/about/press-releases/shadowpad-attackers-hid-backdoor-in-software-used-by-hundreds-of-large-companies-worldwide https://web.archive.org/web/20181022035109/https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html https://www.vulncheck.com/advisories/netsarang-malicious-backdoor-supply-chain-compromise
Metrics	cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Thu, 09 Oct 2025 17:15:00 +0000

Type	Values Removed	Values Added
Description	NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month‑generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017.	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. This vulnerability has been reassigned as CVE-2017-20203 ( https://www.cve.org/CVERecord?id=CVE-2017-20203 ) to have the year of the CVE correspond to the year of public disclosure.
Title	NetSarang v5.0 Malicious Backdoor Supply Chain Compromise
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}`	cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Wed, 08 Oct 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 08 Oct 2025 19:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV4_0 `{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`	cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}`

Wed, 08 Oct 2025 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Netsarang Netsarang xftp Netsarang xlpd Netsarang xmanager Netsarang xmanager Enterprise Netsarang xshell
Vendors & Products		Netsarang Netsarang xftp Netsarang xlpd Netsarang xmanager Netsarang xmanager Enterprise Netsarang xshell

Tue, 07 Oct 2025 21:15:00 +0000

Type	Values Removed	Values Added
Description		NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month‑generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017.
Title		NetSarang v5.0 Malicious Backdoor Supply Chain Compromise
Weaknesses		CWE-506
References		https://securelist.com/shadowpad-in-corporate-networks/81432/ https://usa.kaspersky.com/about/press-releases/shadowpad-attackers-hid-backdoor-in-software-used-by-hundreds-of-large-companies-worldwide https://web.archive.org/web/20181022035109/https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html https://www.vulncheck.com/advisories/netsarang-malicious-backdoor-supply-chain-compromise
Metrics		cvssV4_0 `{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

MITRE

Status: REJECTED

Assigner: VulnCheck

Published: 2025-10-07T21:01:40.739Z

Updated: 2025-10-09T16:58:14.274Z

Reserved: 2025-04-15T19:15:22.578Z

Link: CVE-2025-34252

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2025-10-07T21:15:38.077

Modified: 2025-10-09T17:15:58.827

Link: CVE-2025-34252

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-10-08T13:35:31Z

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object