NetSupport Manager < 14.12.0001 Unauthenticated SQLi Local File Disclosure

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

NetSupport Manager < 14.12.0001 contains an unauthenticated SQL injection vulnerability in its Connectivity Server/Gateway HTTPS request handling. The server evaluates request URIs using an unsanitized SQLite query against the FileLinks table in gateway.db. By injecting SQL through the LinkName/URI value, a remote attacker can control the FileName field used by the server to read and return files from disk, resulting in arbitrary local file disclosure.

AI Analysis

Unauthenticated SQL injection vulnerability in NetSupport Manager's Connectivity Server/Gateway HTTPS request handling, allowing arbitrary local file disclosure

Basic Information

ID CVE-2025-34179

Source VulnCheck

Published Dec 15, 2025 at 14:41

Modified Dec 15, 2025 at 14:52

Affected Product

Vendor NetSupport Software

Product Manager

Affected Versions NetSupport Software Manager 0

CWE Classification

CWE-89

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor NetSupport Software

Product NetSupport Manager

Version < 14.12.0001

References

{
    "lastseen": "",
    "description": "NetSupport Manager <\u00a014.12.0001\u00a0contains an unauthenticated SQL injection vulnerability in its Connectivity Server/Gateway HTTPS request handling. The server evaluates request URIs using an unsanitized SQLite query against the FileLinks table in gateway.db. By injecting SQL through the LinkName/URI value, a remote attacker can control the FileName field used by the server to read and return files from disk, resulting in arbitrary local file disclosure.",
    "published": "2025-12-15T14:41:27.306Z",
    "modified": "2025-12-15T14:52:50.913Z",
    "type": "cve",
    "title": "NetSupport Manager < 14.12.0001 Unauthenticated SQLi Local File Disclosure",
    "source": "VulnCheck",
    "references": "https://kb.netsupportsoftware.com/knowledge-base/updating-and-securing-netsupport-manager/\nhttps://www.vulncheck.com/advisories/netsupport-manager-unauthenticated-sqli-local-file-disclosure",
    "id": "CVE-2025-34179",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "NetSupport Software Manager 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Manager",
    "version": "0",
    "vendor": "NetSupport Software",
    "ai_description": "Unauthenticated SQL injection vulnerability in NetSupport Manager's Connectivity Server/Gateway HTTPS request handling, allowing arbitrary local file disclosure",
    "ai_severity": "High",
    "ai_vendor": "NetSupport Software",
    "ai_product": "NetSupport Manager",
    "ai_version": "< 14.12.0001",
    "ai_score": 8.7
}

NetSupport Manager < 14.12.0001 Unauthenticated SQLi Local File Disclosure_CVE-2025-34179