CVE-2025-4660 is a high-severity remote code execution vulnerability affecting the Windows agent component of Forescout SecureConnector. The root cause is improper access control on a named pipe used by the SecureConnector Windows agent. Specifically, the named pipe is configured with permissions that allow the Everyone group to access it, and it does not restrict remote connections. This misconfiguration enables any attacker on the network to connect to the named pipe without requiring authentication or user interaction. Once connected, the attacker can manipulate the SecureConnector agent to redirect its communication to a malicious rogue server. This rogue server can then issue arbitrary commands to the SecureConnector agent, effectively allowing remote code execution within the context of the agent. The vulnerability does not affect the Linux or OSX versions of SecureConnector, limiting the scope to Windows environments. The CVSS 4.0 base score is 8.7, reflecting the ease of exploitation (network attack vector, no authentication required) and the high impact on confidentiality, integrity, and availability. The vulnerability is classified under CWE-276 (Incorrect Default Permissions), highlighting that the issue stems from insecure default access control settings. No known exploits are currently reported in the wild, but the potential for exploitation is significant given the lack of authentication and network accessibility. The vulnerability was published on May 13, 2025, and no patches or mitigations have been linked yet, indicating that affected organizations must prioritize risk assessment and interim controls.

For European organizations, the impact of CVE-2025-4660 can be severe, especially for those relying on Forescout SecureConnector Windows agents for network security and device visibility. Exploitation could allow attackers to gain unauthorized control over the SecureConnector agent, potentially leading to unauthorized network reconnaissance, lateral movement, or deployment of further malware within the corporate network. This could compromise sensitive data confidentiality, disrupt operational integrity, and degrade availability of security monitoring functions. Given that SecureConnector is often deployed in enterprise environments to enforce security policies and monitor endpoints, a compromised agent could undermine the entire security posture. Critical sectors such as finance, healthcare, energy, and government in Europe could face increased risk of espionage, data breaches, or operational disruption. The network-based nature of the attack means that attackers do not need physical access or user interaction, increasing the likelihood of automated or widespread exploitation attempts. Additionally, the ability to redirect agent communication to rogue servers could facilitate persistent backdoors or command and control channels within affected networks.

Beyond generic advice, European organizations should immediately audit their deployment of Forescout SecureConnector Windows agents to identify affected versions. Network segmentation should be enforced to restrict access to management and agent communication channels, limiting exposure of the named pipe to trusted hosts only. Implement strict firewall rules to block unauthorized inbound connections to the SecureConnector agent's communication ports. Employ host-based access control mechanisms to restrict named pipe permissions, if configurable, to trusted system accounts rather than Everyone. Monitor network traffic for unusual connections or redirections involving SecureConnector agents. Deploy endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of agent compromise. Coordinate with Forescout for timely patching once updates become available. In the interim, consider disabling or limiting SecureConnector Windows agent functionality on critical systems if feasible. Conduct user awareness training to recognize potential signs of compromise related to this vulnerability. Finally, integrate this vulnerability into incident response plans to ensure rapid containment and remediation if exploitation is detected.