QwikSec

Security Database

CVE

CWE

Training

CVE-2025-34179

Published: Dec 15, 2025

Modified: May 14, 2026

PUBLISHED

Description

NetSupport Manager < 14.12.0001 contains an unauthenticated SQL injection vulnerability in its Connectivity Server/Gateway HTTPS request handling. The server evaluates request URIs using an unsanitized SQLite query against the FileLinks table in gateway.db. By injecting SQL through the LinkName/URI value, a remote attacker can control the FileName field used by the server to read and return files from disk, resulting in arbitrary local file disclosure.

Vendor	Product	Versions
NetSupport Software	Manager	affected `0 - < 14.12.0001`

Weaknesses (CWE)

References

https://kb.netsupportsoftware.com/knowledge-base/updating-and-securing-netsupport-manager/

vendor-advisory

patch

https://www.vulncheck.com/advisories/netsupport-manager-unauthenticated-sqli-local-file-disclosure

third-party-advisory

https://ret2.me/post/2025-12-04-exploiting-netsupport-gateway/

technical-description

exploit

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.