Two critical 0-day vulnerabilities in NetSupport Manager that, when chained, allow unauthenticated remote code execution (RCE).
The vulnerabilities were discovered during routine security assessments of operational technology (OT) environments and affect version 14.10.4.0 and earlier, with fixes implemented in version 14.12.0000 released on July 29th, 2025.
The two vulnerabilities tracked as CVE-2025-34164 and CVE-2025-34165 reside in the remote control software’s undocumented broadcast feature, which was introduced in version 14 and operates independently of standard command processing.
CVE-2025-34164 is a heap-based out-of-bounds write caused by an integer overflow in broadcast port allocation parameters. Attackers can exploit insufficient validation of slot size and count values in BC_ADD_PORT commands to trigger memory corruption on the heap.
CVE-2025-34165 is a stack-based out-of-bounds read vulnerability resulting from missing size validation.
The BC_TCP_DATA command accepts a controllable broadcast data size parameter without verifying whether the source receive buffer contains sufficient data.
Since the receive buffer is fixed at 0x800 bytes and located on the stack, this enables reading beyond buffer boundaries.
Attack Chain and Impact
NetSupport Manager installations typically use TCP port 5405 for control-to-client communication.
Critically, the broadcast feature commands do not require authentication, making unauthenticated exploitation possible from any network position with connectivity to the client.
The slot size sent in the BC_ADD_PORT command gets increased by the slot metadata size (0x10 bytes) and rounded up to the next 0x10 aligned value.
The combination enables attackers to bypass Address Space Layout Randomization (ASLR) by leaking vtable pointers, achieve arbitrary memory writes, and ultimately gain code execution.
The exploit leverages sophisticated heap manipulation techniques to achieve a predictable memory layout, allowing attackers to overwrite critical data structures including vtable pointers and pseudo-code instruction pointers.
Researchers demonstrated a complete exploitation chain resulting in remote shell access through dynamic ROP gadget chain construction and kernel32 API resolution.
The widespread deployment of NetSupport Manager in industrial control environments makes this vulnerability particularly concerning.
With basic knowledge of the heap implementation in use, lets get back to the first exploit step: Breaking ASLR by leaking memory addresses.
Many organizations use the software for remote maintenance and support of critical infrastructure while permitting it through internal firewalls for network segmentation bypass. This architecture creates a direct pathway for attackers to move laterally into sensitive OT networks.
Mitigations
CODE WHITE reported both vulnerabilities to NetSupport Ltd. on June 11th, 2025, with fixes deployed in version 14.12.0000 on July 29th, 2025.
The patches enforce authentication for all broadcast-related commands and implement comprehensive parameter validation. The CVSS severity rating for CVE-2025-34164 was updated on November 3rd, 2025 following exploit development.
Organizations running NetSupport Manager should immediately upgrade to version 14.12.0000 or later.
Networks should implement network segmentation controls, restrict access to port 5405, and monitor for suspicious broadcast protocol activity as interim mitigations while upgrades are deployed.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.