NetBT e-Fatura - Privilege Escalation
NetBT e-Fatura - Privilege Escalation
AI Analysis
Technical Summary
The NetBT e-Fatura application has a local privilege escalation vulnerability identified as CVE-2025-14018, caused by an unquoted search path or element (CWE-428). The InboxProcessor Windows service runs with LocalSystem privileges and loads its executable from 'C:\inetpub\wwwroot\InboxProcessor\Netbt.Inbox.Process.exe'. This directory is writable by standard users, allowing them to insert or replace executables that the service will run with elevated privileges. This misconfiguration enables unauthorized local users to execute arbitrary code with high privileges. The vulnerability was tested on version 2024 of the software on Windows Server 2019 DC. Public exploit code is available in text format. No official patch or vendor advisory confirming remediation is currently available.
Potential Impact
An unauthorized local user can gain elevated privileges on the affected system by exploiting this vulnerability, potentially achieving full system compromise under the LocalSystem account. This can lead to unauthorized access to sensitive data, disruption of services, and complete control over the host system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://net-bt.com.tr/e-fatura/ for current remediation guidance. Until an official fix is available, restrict write permissions to the directory 'C:\inetpub\wwwroot\InboxProcessor\' to prevent unauthorized modifications. Avoid running the InboxProcessor service with LocalSystem privileges if possible, or apply least privilege principles. Monitor for suspicious activity related to this service.
Indicators of Compromise
- exploit-code: # Exploit Title: NetBT e-Fatura - Privilege Escalation # Author: Seccops # Discovery Date: 2025-10-03 # Vendor: https://net-bt.com.tr/e-fatura/ # Tested Version: 2024 # Tested on OS: Microsoft Windows Server 2019 DC # Vulnerability Type: CWE-428 Unquoted Search Path or Element # CVE: CVE-2025-14018 Note: Thanks "Levent Sungu" for providing the testing environment. ==================== Description & Impact ==================== This vulnerability allows an unauthorized local user to execute arbitrary code with high privileges on the system. ================ Proof of Concept ================ C:\Users\efatura>sc qc InboxProcessor [SC] QueryServiceConfig SUCCESS SERVICE_NAME: InboxProcessor TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\inetpub\wwwroot\InboxProcessor\Netbt.Inbox.Process.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : InboxProcessor DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\efatura\Desktop>accesschk.exe /accepteula -uwdq "C:\inetpub\wwwroot\InboxProcessor\" Accesschk v6.15 - Reports effective permissions for securable objects Copyright (C) 2006-2022 Mark Russinovich Sysinternals - www.sysinternals.com C:\inetpub\wwwroot\InboxProcessor RW BUILTIN\Users RW NT SERVICE\TrustedInstaller RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators
NetBT e-Fatura - Privilege Escalation
Description
NetBT e-Fatura - Privilege Escalation
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The NetBT e-Fatura application has a local privilege escalation vulnerability identified as CVE-2025-14018, caused by an unquoted search path or element (CWE-428). The InboxProcessor Windows service runs with LocalSystem privileges and loads its executable from 'C:\inetpub\wwwroot\InboxProcessor\Netbt.Inbox.Process.exe'. This directory is writable by standard users, allowing them to insert or replace executables that the service will run with elevated privileges. This misconfiguration enables unauthorized local users to execute arbitrary code with high privileges. The vulnerability was tested on version 2024 of the software on Windows Server 2019 DC. Public exploit code is available in text format. No official patch or vendor advisory confirming remediation is currently available.
Potential Impact
An unauthorized local user can gain elevated privileges on the affected system by exploiting this vulnerability, potentially achieving full system compromise under the LocalSystem account. This can lead to unauthorized access to sensitive data, disruption of services, and complete control over the host system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://net-bt.com.tr/e-fatura/ for current remediation guidance. Until an official fix is available, restrict write permissions to the directory 'C:\inetpub\wwwroot\InboxProcessor\' to prevent unauthorized modifications. Avoid running the InboxProcessor service with LocalSystem privileges if possible, or apply least privilege principles. Monitor for suspicious activity related to this service.
Technical Details
- Edb Id
- 52509
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for NetBT e-Fatura - Privilege Escalation
# Exploit Title: NetBT e-Fatura - Privilege Escalation # Author: Seccops # Discovery Date: 2025-10-03 # Vendor: https://net-bt.com.tr/e-fatura/ # Tested Version: 2024 # Tested on OS: Microsoft Windows Server 2019 DC # Vulnerability Type: CWE-428 Unquoted Search Path or Element # CVE: CVE-2025-14018 Note: Thanks "Levent Sungu" for providing the testing environment. ==================== Description & Impact ==================== This vulnerability allows an unauthorized local user to execute arbi... (979 more characters)
Threat ID: 69da14bc1cc7ad14da6c87be
Added to database: 4/11/2026, 9:30:36 AM
Last enriched: 4/18/2026, 2:52:19 PM
Last updated: 5/26/2026, 5:21:18 PM
Views: 130
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.