Threat Research

CVE-2025-23009 & CVE-2025-23010: Elevating Privileges with SonicWall NetExtender

Netspi
CVE-2025-23009 & CVE-2025-23010: Elevating Privileges with SonicWall NetExtender

NetSPI discovered multiple arbitrary SYSTEM file delete and overwrite vulnerabilities in SonicWall NetExtender for Windows, which could be exploited for local privilege escalation and denial of service. These issues were addressed in version 10.3.2 of NetExtender. #SonicWallNetExtender #CVE-2025-23009 #CVE-2025-23010

Keypoints

  • NetSPI identified arbitrary SYSTEM file delete vulnerabilities in SonicWall NetExtender 10.3.1 that allow privilege escalation, tracked as CVE-2025-23009.
  • An arbitrary SYSTEM file overwrite vulnerability enabling denial of service was also found, tracked as CVE-2025-23010.
  • The vulnerabilities exploit insecure file operations via NTFS junctions and symbolic links combined with malicious JSON payloads sent through named pipes.
  • NetSPI reverse engineered a non-public exploit and demonstrated triggering the vulnerable log export feature without requiring GUI interaction.
  • Multiple file delete actions were identified via different named pipe commands, including clearCapturedPacket, saveProperties, and saveCapturedPacket.
  • Local privilege escalation was achieved by abusing arbitrary file delete capabilities to manipulate MSI rollback files, following techniques from prior research.
  • SonicWall released an updated NetExtender version 10.3.2 on 2025-04-09 that addresses all highlighted vulnerabilities.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Exploited JSON crafted payloads sent via named pipes to execute arbitrary commands on the NetExtender service (“VpnSendMessageOnPipe() connects to the NEPipeSMAVpnPipe named pipe and passes in our JSON object”).
  • [T1090] Proxy – Used NTFS junctions and symbolic links as shortcuts to redirect file operations to arbitrary system directories (“CreateMountPoint.exe used to create junctions redirecting operations to C:WindowsSystem32driversetc”).
  • [T1068] Exploitation for Privilege Escalation – Leveraged arbitrary SYSTEM file delete vulnerabilities to escalate privileges by manipulating MSI rollback files (“Techniques described by Abdelhamid Naceri … to produce reliable local privilege escalation exploits”).

Indicators of Compromise

  • [File Name] Target files involved in exploitation – Nxpcap_tmp.pcap, prelogon.v2.disabled
  • [File Path] Critical system paths affected – C:WindowsSystem32driversetc, C:WindowsSystem32confighello.txt
  • [Named Pipe] Communication channels abused – NEPipeSMAVpnPipe, NEPipeStClient

Read more: https://www.netspi.com/blog/technical-blog/red-teaming/elevating-privileges-with-sonicwall-netextender/