CVE-2025-4660 is a high-severity remote code execution vulnerability affecting the Windows agent component of Forescout SecureConnector version 11.1.02.1019. The root cause is improper access control on a named pipe used by the SecureConnector agent. Specifically, the named pipe is accessible to the Everyone group and does not restrict remote connections, allowing any attacker on the network to connect without authentication. By exploiting this flaw, an attacker can redirect the SecureConnector agent to communicate with a malicious rogue server. This rogue server can then issue arbitrary commands to the agent, effectively enabling remote code execution with the privileges of the agent process. The vulnerability does not affect Linux or macOS versions of SecureConnector, limiting the scope to Windows deployments. The CVSS 4.0 base score is 8.7 (high), reflecting the network attack vector, low attack complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability is classified under CWE-276 (Incorrect Default Permissions), indicating a failure to properly restrict access to sensitive IPC mechanisms. No known exploits are currently reported in the wild, but the ease of exploitation and impact make it a critical risk for affected environments. Since SecureConnector is often deployed in enterprise networks for device visibility and security enforcement, compromise of the agent could allow attackers to pivot within networks, execute arbitrary commands, and potentially undermine broader security controls.

For European organizations, this vulnerability poses a significant risk, especially for enterprises relying on Forescout SecureConnector on Windows endpoints for network security and device management. Successful exploitation could lead to unauthorized remote code execution, enabling attackers to manipulate security agents, bypass network segmentation, and gain persistent footholds. This could result in data breaches, disruption of security monitoring, and lateral movement within corporate networks. Given the critical role of SecureConnector in enforcing security policies and visibility, exploitation could undermine compliance with GDPR and other data protection regulations by exposing sensitive personal and corporate data. Additionally, sectors with high regulatory scrutiny such as finance, healthcare, and critical infrastructure in Europe could face severe operational and reputational damage. The lack of required authentication and user interaction increases the likelihood of exploitation in internal networks or via compromised VPNs. The absence of known exploits in the wild currently provides a window for mitigation before widespread attacks occur.

Organizations should immediately audit their deployments of Forescout SecureConnector on Windows to identify affected versions (11.1.02.1019). Although no patch links are currently provided, they should monitor Forescout advisories closely for official patches or updates addressing this vulnerability. In the interim, network segmentation should be enforced to restrict access to the SecureConnector agents’ named pipes, limiting connections to trusted management systems only. Implement strict firewall rules to block unauthorized inbound connections to endpoints running SecureConnector. Employ host-based access controls to restrict permissions on IPC mechanisms, ensuring the named pipe is not accessible to the Everyone group or remote users. Additionally, monitor network traffic for unusual connections or redirections involving SecureConnector agents. Deploy endpoint detection and response (EDR) solutions to detect anomalous command execution patterns. Organizations should also review and tighten privilege levels of the SecureConnector agent to minimize impact if compromised. Finally, conduct user awareness and incident response drills to prepare for potential exploitation scenarios.