CVE-2025-34179

Sažetak

NetSupport Manager < 14.12.0001 contains an unauthenticated SQL injection vulnerability in its Connectivity Server/Gateway HTTPS request handling. The server evaluates request URIs using an unsanitized SQLite query against the FileLinks table in gateway.db. By injecting SQL through the LinkName/URI value, a remote attacker can control the FileName field used by the server to read and return files from disk, resulting in arbitrary local file disclosure.

Reference

https://kb.netsupportsoftware.com/knowledge-base/updating-and-securing-netsupport-manager/
https://ret2.me/post/2025-12-04-exploiting-netsupport-gateway/
https://www.vulncheck.com/advisories/netsupport-manager-unauthenticated-sqli-local-file-disclosure

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

15-12-2025 - 19:16

Objavljeno

15-12-2025 - 15:15