NSClient++ Authenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in NSClient++ version 0.5.2.35. This issue arises when the web interface and ExternalScripts module are enabled. An authenticated attacker with knowledge of the administrator password can exploit this vulnerability by injecting arbitrary commands as external scripts through the /settings/query.json API. After saving the configuration, the injected script can be executed via the /query/{name} endpoint. The executed commands run with SYSTEM privileges, allowing for full remote compromise. While this functionality is intended, the absence of proper safeguards or privilege separation poses a significant risk when exposed to untrusted actors.

Impact

Exploitation of this vulnerability leads to authenticated remote code execution with SYSTEM privileges on the affected host.

Reproduction

To reproduce this vulnerability, authenticate to the NSClient++ web interface on port 8443 using an administrator password. Ensure that the ExternalScripts module is enabled. Once authenticated, inject a command as an external script via the /settings/query.json API. After the script is saved, execute it through the /query/{name} endpoint. The injected command will be executed with SYSTEM privileges, resulting in remote code execution.