Two serious authentication bypass vulnerabilities (CVE-2025-34164 and CVE-2025-34165) in NetSupport Manager, a reputable remote access tool used by many businesses, allow unauthenticated remote code execution This article explores bypass vulnerabilities cve. . Patches have been available since July 29, 2025, and versions up to 14.10.4.0 are impacted.

The software's undocumented broadcast communication feature has flaws that allow attackers to corrupt heap memory and execute arbitrary code without credentials due to inadequate parameter validation. Details of the CVE Vulnerability Vulnerability Type CVSS CVE ID Attack Score Severity CVE-2025-34164: Vector Authentication Is Needed Heap-Based Integer Overflow (Out-of-Bounds Write) 9.8 TCP:5405 Critical Network No Stack-Based Out-of-Bounds Read 9.8 Critical Network (TCP:540) CVE-2025-341655.) No, the vulnerabilities are in the broadcast feature of NetSupport Manager, which was added in version 14 and uses TCP port 5405 for communication.

An attack surface for unauthenticated threat actors is created by this undocumented feature, which processes commands without authentication. CVE-2025-34164 (OOB Write): The BC_ADD_PORT command's incorrect handling of integer overflows is the source of the vulnerability. Slot size (ushort) and slot count (ushort) parameters are multiplied without validation when broadcast buffers are allocated.

When a slot size of 0xFFFF and count of 0xFFF1 are sent, integer overflow occurs, allocating a buffer of 0xFF10 bytes rather than the intended 0x100FF10 bytes, allowing writes beyond allocated boundaries. CVE-2025-34165 (OOB Read): An externally-controlled size parameter in the BC_TCP_DATA command is not validated against the RX buffer capacity (0x800 bytes). Address Space Layout Randomization (ASLR) bypass candidates and out-of-bounds reads from the stack-based RX buffer result from sending data larger than 0x7F6 bytes.

CODE WHITE security researchers showed complete remote code execution chains that combined both vulnerabilities. Heap spraying is used to create predictable memory layouts, OOB write is used to corrupt UdpInputStream object metadata, OOB read is used to extract vtable pointers to get around ASLR, virtual function tables are overwritten, and ROP chains are used to call VirtualProtect and run shellcode. With just network access to the listening client process, the exploit consistently accomplishes unauthenticated arbitrary code execution in a matter of seconds.

Both vulnerabilities are fixed in NetSupport Manager version 14.12.0000 (released July 29, 2025) by enforcing authentication for all broadcast-related commands and adding additional parameter validation. Businesses should use firewall rules to prevent TCP 5405 access and upgrade to 14.12.0000 or later right away.

Versions Affected Date of Patched Version Release < 14.12.0000 July 29, 2025 Disable unused NetSupport Manager client components, isolate systems with outdated versions, and keep an eye out for unusual TCP:5405 traffic patterns coming from outside sources.