CVE-2025-34252: CWE-506 Embedded Malicious Code in NetSarang Computer, Inc. Xmanager Enterprise
NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month‑generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017.
CVE-2025-34252: CWE-506 Embedded Malicious Code in NetSarang Computer, Inc. Xmanager Enterprise
Description
NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month‑generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.578Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68e582fea677756fc9a25d6f
Added to database: 10/7/2025, 9:15:42 PM
Last updated: 10/7/2025, 9:15:48 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-11409: SQL Injection in Campcodes Advanced Online Voting Management System
MediumCVE-2025-62185: CWE-427 Uncontrolled Search Path Element in Ankitects Anki
MediumCVE-2025-62187: CWE-23 Relative Path Traversal in Ankitects Anki
LowCVE-2025-62186: CWE-829 Inclusion of Functionality from Untrusted Control Sphere in Ankitects Anki
MediumCVE-2025-11408: Buffer Overflow in D-Link DI-7001 MINI
HighActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.