PT-2025-41186 · Netsarang+1 · Xshell+5
Kaspersky Lab
·
Published
2025-10-07
·
Updated
2025-10-08
·
CVE-2025-34252
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
NetSarang Xmanager Enterprise versions 5.0 Build 1232 through 5.0 Build 1236
NetSarang Xmanager versions 5.0 Build 1045 through 5.0 Build 1049
NetSarang Xshell versions 5.0 Build 1322 through 5.0 Build 1326
NetSarang Xftp versions 5.0 Build 1218 through 5.0 Build 1222
NetSarang Xlpd versions 5.0 Build 1220 through 5.0 Build 1224
Description
The software contains a malicious
nssock2.dll library that implements a multi-stage, DNS-based backdoor. The library establishes contact with a command and control (C2) DNS server using a specially crafted TXT record for a month-generated domain. Upon receiving a decryption key, it downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) within the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. An instance of exploitation was identified in the wild in August 2017.Recommendations
Update NetSarang Xmanager Enterprise to build 1236.
Update NetSarang Xmanager to build 1049.
Update NetSarang Xshell to build 1326.
Update NetSarang Xftp to build 1222.
Update NetSarang Xlpd to build 1224.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xftp
Xlpd
Xmanager
Enterprise Manager
Xshell
Nssock2.Dll