NetSupport Manager Zero-Day Flaws Enable Unauthenticated Remote Code Execution
Take action: Make sure your NetSupport Manager port is limited and access to port TCP 5405 is blocked or strictly isolated. Then plan an update to version 14.12.0000.
Learn More
NetSupport Manager, a tool for remote access, is reported to contain two security flaws that allow attackers to run code on computers without a password. The issue exists in an undocumented broadcast feature that listens on TCP port 5405 that processes commands without checking who sent them, creating a way for attackers to break in over the network.
Vulnerabilities summary:
- CVE-2025-34164 (CVSS score 9.3) - A heap-based buffer overflow caused by an integer overflow in the BC_ADD_PORT command.
- CVE-2025-34165 (CVSS score 9.3) - A stack-based buffer overflow that allows attackers to read process memory and bypass security protections.
Security experts at CODE WHITE demonstrated an exploit that chains these flaws together. They used the memory leak to find where the software was running in memory, then used the heap overflow to take control. This process takes only a few seconds over a network connection and requires no action from a user. The exploit reliably achieves full system access by overwriting internal function tables.
NetSupport fixed these problems in version 14.12.0000, released on July 29, 2025. The update adds strict checks to the broadcast feature and requires login for all commands.
Admins should also block TCP port 5405 at the firewall to prevent outside access. If a system does not need the remote client, admins should disable it to reduce the risk.
