CVE-2019-25281 HIGH

CVE-2019-25281: NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths

Vendor Ncp-E
Product NCP_Secure_Entry_Client
Weakness CWE-428
Published February 4, 2026
Last update March 5, 2026

CVSS base score

8.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

NCP Secure Entry Client 9.2 contains an unquoted service path vulnerability in multiple Windows services that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted paths in services like ncprwsnt, rwsrsu, ncpclcfg, and NcpSec to inject malicious code that would execute with LocalSystem privileges during service startup.

Key dates

02Disclosure timeline

February 4, 2026 CVE published
March 5, 2026 Record updated