CVE-2025-34179 HIGH

CVE-2025-34179: NetSupport Manager < 14.12.0001 Unauthenticated SQLi Local File Disclosure

Vendor Netsupport Software
Product Manager
Weakness CWE-89 · SQLi
Published December 15, 2025
Last update May 14, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

NetSupport Manager < 14.12.0001 contains an unauthenticated SQL injection vulnerability in its Connectivity Server/Gateway HTTPS request handling. The server evaluates request URIs using an unsanitized SQLite query against the FileLinks table in gateway.db. By injecting SQL through the LinkName/URI value, a remote attacker can control the FileName field used by the server to read and return files from disk, resulting in arbitrary local file disclosure.

Key dates

02Disclosure timeline

December 15, 2025 CVE published
May 14, 2026 Record updated