Cyberdudebivash

CyberDudeBivash Vulnerability Report NetSupport Manager Buffer Overflows — CVE-2025-34164 / CVE-2025-34165

Remote, unauthenticated abuse against remote-support estates; patch to 14.12.0000+

Author: CyberDudeBivash | Cybersecurity, AI & Threat Intelligence Network
Brand: CyberDudeBivash — Threat Intel • DevSecOps • CSPM/CNAPP • AI Security
Site: cyberdudebivash.com · cyberbivash.blogspot.com

1) Executive Summary

NetSupport Manager (NSM)—a widely deployed remote support/remote control platform—was hit with two high-severity buffer overflow CVEs:

  • CVE-2025-34164 – Heap-based buffer overflow in NetSupport Manager 14.x prior to 14.12.0000 → DoS or RCE by a remote, unauthenticated attacker. NVDTenable®
  • CVE-2025-34165 – Stack-based buffer overflow in NetSupport Manager 14.x prior to 14.12.0000 → DoS and limited memory disclosure by a remote, unauthenticated attacker. NVDTenable®

VulnCheck rates the pair high severity (CVSS v4 ~8.8) and confirms all 14.x < 14.12.0000 are affected. Upgrade to 14.12.0000+ is the vendor-recommended fix. VulnCheck

Why you should care: Remote-support software often sits exposed (or reachable via gateways), runs with elevated privileges, and has direct keyboard/file/exec powers on managed endpoints. An unauthenticated overflow here can translate to fleet-wide compromise or fast ransomware deployment if an attacker lands code execution.

2) What’s vulnerable and how is it reached?

eSentire previously observed hundreds of internet-reachable NSM clients on 5405/tcp—misconfiguration is common. If your environment matches that pattern, treat this pair as Tier-0 patch priority. eSentire

3) Technical risk breakdown

CVE-2025-34164 — Heap overflow (DoS/RCE)

  • Impact: Crafted network input may overflow a heap buffer leading to crash or arbitrary code execution in the NSM service context. NVD
  • Why it’s dangerous: Heap bugs in network-facing services are frequently reliable for RCE once an attacker controls size and content of allocations.

CVE-2025-34165 — Stack overflow (DoS / memory leak)

  • Impact: Crafted traffic may overflow a stack buffer, causing service crash and limited memory disclosure (leaking sensitive data, ASLR aids). NVD
  • Chaining risk: An info-leak that reveals memory layout can lower exploit complexity for CVE-2025-34164-style RCE chains.

CVSS / Severity: VulnCheck advisory aligns on High (CVSS 8.8 v4). VulnCheck

4) Likely attack paths (what we’d simulate in the lab)

  1. Internet-facing NSM
    Attacker mass-scans 5405/tcp → sends crafted overflow packets → RCE in service → dropper executes via service account → lateral movement using the tool’s own remote control/file copy features.
  2. Gateway exposure
    If your NSM uses the Connectivity Server (Gateway) on 443/tcp, attacker targets the gateway-mediated flow to reach clients/controls that were assumed “internal.” NetSupport Manager
  3. Internal pivot
    Compromised workstation (phish) scans for 5405/5421 → exploits nearby clients → leverages NSM’s legitimate capabilities for LOLBAS-style control.

5) Business impact (mapped to common sectors)

  • Managed service desks / BPOs: Toolchain takeover → client estate compromise and SLA-impacting outages.
  • Healthcare & finance: RCE on support endpoints → PHI/PCI data exposure; faster ransomware propagation.
  • Manufacturing / OT-adjacent IT: Remote-support foothold becomes bridge into engineering workstations.
  • Public sector: Remote admin channels abused for persistent access and covert data collection.

6) Immediate actions (0–24 hours)

Patch path

  • Upgrade NetSupport Manager to ≥ 14.12.0000 across Control, Client and Gateway components. VulnCheck

Reduce blast radius now

  • Remove public exposure of 5405/5421; if remote access is needed, force it through VPN/ZTNA with MFA and IP allowlists. (Vendor docs confirm 5405 / 5421 defaults, 443 for Gateway.) kb.netsupportsoftware.comNetSupport Manager
  • Block at edge: temporarily geo-fence or IP-allowlist admin networks to NSM services.
  • Credential hygiene: rotate any service account creds tied to NSM.

Monitoring & containment

  • Hunt for crashes of the NSM service around suspicious traffic (crash = possible exploitation attempt).
  • Look for unknown Controls connecting to Clients (rogue operator).
  • Quarantine NSM systems that show unexplained memory access violations or repeated restarts.

7) SOC detections you can deploy today

Network (Zeek/Suricata)

  • Alert on inbound 5405/tcp from the internet; this port should be internal onlykb.netsupportsoftware.com
  • Create a rule for abnormal length / malformed sessions to 5405 or 5421 (overflow probes often feature max-length fields).

Proxy/WAF/Gateway

  • If using NSM Gateway, log and alert on new source ASNs/countries hitting the Gateway on 443/tcpNetSupport Manager

Endpoint/XDR

  • Detect child processes spawned by NSM binaries (e.g., client32.exensm.exe) that start powershellcmdwscriptrundll32.
  • Flag unsigned modules loaded into NSM process memory (indicative of shellcode loaders).

Example Splunk SPL (quick triage)

index=edr (Image="*\\client32.exe" OR Image="*\\nsm.exe")
| where like(ParentProcessName, "%client32.exe%") OR like(ParentProcessName, "%nsm.exe%")
| search (CommandLine="*powershell*" OR CommandLine="*cmd /c*" OR CommandLine="*wscript*" OR CommandLine="*rundll32*")

8) DFIR playbook (when you suspect exploitation)

  1. Snapshot & isolate the endpoint/gateway VM; preserve volatile memory if possible.
  2. Collect NSM logs, Windows Event Logs, PCAP of the offending session on 5405/5421/443.
  3. Triage memory for injected code regions in NSM process; hunt for C2 beacons.
  4. Scope via NSM operator logs—what sessions/files/transfers occurred?
  5. Eradicate: re-image or restore gold images; rotate credentials; re-deploy NSM at 14.12.0000+ with ZTNA access model.

9) Secure configuration checklist (post-patch hardening)

  • Keep NSM behind ZTNA/VPN, never open 5405/5421 to the internet.
  • Enforce MFA for operators; log every operator action.
  • Set a security key so only authorized Controls can connect; vendor docs describe the Security Key feature. resources.netsupportsoftware.com+1
  • Use the Gateway on 443 only with strict allowlists and TLS inspection as policy permits. NetSupport Manager
  • Segment NSM hosts away from critical servers (AD/DB/backup).
  • EDR policy: block script interpreters from launching as children of NSM processes.
  • SIEM use case: alert on new country interacting with NSM each day.

10) DevSecOps guardrails (prevent this class of incident)

  • Asset inventory: include remote-support tools in SBOM/CMDB and patch rings.
  • Change gates: NSM version checks as pre-prod gates (no 14.11.x in prod).
  • Continuous scanning: external attack-surface monitor to alert if 5405/5421 accidentally become exposed.
  • Secrets management: store NSM service creds/API tokens in a dedicated vault; rotate quarterly.

11) Frequently asked questions

Is there a public exploit?
NVD/VulnCheck publish impact details; technical exploit code is not provided in those entries. Some trackers indicate details are limited; treat as exploitable but do not assume KEV-status yet. VulnCheckVulDB

Which components must I update?
Update Control, Client, and Gateway to 14.12.0000+ to ensure protocol parity and close the vulnerable code paths. VulnCheck

What ports should be allowed?
Default operations rely on 54055421, and optional 443 for Gateway—keep them internal and limit by IPkb.netsupportsoftware.comNetSupport Manager

12) CyberDudeBivash recommendations (ranked)

  1. Patch to 14.12.0000+ this week (emergency CAB if 5405 is or ever was internet-exposed). VulnCheck
  2. Pull NSM behind ZTNA and remove any direct 5405/5421 exposure. kb.netsupportsoftware.com
  3. Deploy EDR control to prevent script/tooling spawns from NSM processes.
  4. Instrument SIEM detections for odd traffic/child-process events.
  5. Audit operator logs weekly; require MFA and per-operator accounts.
  6. Tabletop a scenario: attacker gains RCE on a help-desk box—validate your blast-radius controls.

13) Recommended tooling (affiliate CTAs)

  • Bitdefender GravityZone — Stop post-overflow payloads, ransomware, and memory exploitation on Windows servers/endpoints.
    Protect your service desk with Bitdefender GravityZone (affiliate)
  • CrowdStrike Falcon XDR — Real-time detections for anomalous child processes and lateral movement after RCE.
    Harden remote-support estates with Falcon XDR (affiliate)
  • 1Password Business — Secrets Automation — Vault NSM service credentials, Gateway keys, and operator passwords; rotate automatically.
    Protect your remote-admin secrets with 1Password Business (affiliate)
  • NordVPN Teams (ZTNA) — Put NSM behind Zero-Trust access; cut internet exposure of 5405/5421 instantly.
    Enable secure remote access with NordVPN Teams (affiliate)
  • Snyk — Add policy gates so infra images/AMIs that contain old NSM builds fail CI.
    Block vulnerable builds with Snyk (affiliate)
  • Aqua Security — If you containerize supporting services/agents, enforce runtime policy and network allowlists.
    Deploy Aqua for runtime cloud defense (affiliate)

14) About CyberDudeBivash

CyberDudeBivash is your AI-powered Threat Intelligence & DevSecOps partner. We deliver:

  • Rapid CVE triage & patch orchestration (24–48h SLAs)
  • AI Vulnerability Scanner (detects misconfigs/CVEs in remote-support stacks)
  • CSPM/CNAPP rollouts (Prisma, Wiz, Aqua)
  • Secure App Development & DevSecOps (Next.js, Node, Python, Go)
  • Zero-Trust & PAM for admin planes (gateways, NAS, remote tools)

Book a 30-min assessment: cyberdudebivash.com
 Daily intel & reports: cyberbivash.blogspot.com

15) References

#cyberdudebivash #ThreatIntel #CVE202534164 #CVE202534165 #RemoteSupport #RCE #InfoLeak #ZeroTrust #EDR #SOC #DevSecOps #CSPM

Leave a comment

Design a site like this with WordPress.com
Get started