CVE-2019-14477

Vulnerability

AdRem NetCrunch 10.6.0.4587 stores its internal user database in UserProfiles.xml. The file is readable by the BUILTIN\Users group, meaning any low-privileged user on the system can read it. The passwords within are weakly encoded or encrypted, as reported in [1]. This affects version 10.6.0.4587 and likely earlier versions; the fix was introduced in version 11.0.0.5282.

Exploitation

An attacker with local access as a low-privileged user (e.g., a standard Windows user) can read UserProfiles.xml directly from C:\ProgramData\AdRem\NetCrunch\data\. No authentication or special privileges are required beyond a local user account. The file's access control list grants read and execute permissions to all authenticated users, as shown by the icacls output in [1].

Impact

Successful exploitation allows the attacker to extract the weakly stored passwords for all internal NetCrunch users, including those with administrative privileges. Since NetCrunch manages credentials for monitored systems (often with elevated privileges), this can lead to lateral movement and compromise of network infrastructure devices or servers.

Mitigation

AdRem released NetCrunch 11.0.0.5282 which fixes the file permissions on UserProfiles.xml [1]. Users should upgrade to this version or later. No supported workaround is available for the vulnerable version; if upgrading is not immediately possible, restrict local access to trusted users and monitor for unauthorized file reads.