Threat Research

CVE-2025-4660: Forescout SecureConnector RCE 

Netspi
CVE-2025-4660: Forescout SecureConnector RCE 

A critical remote code execution vulnerability (CVE-2025-4660) affects Forescout SecureConnector on Windows, allowing attackers to redirect the agent to malicious servers and control endpoints remotely. The flaw arises from insecure default permissions on a named pipe, permitting unauthorized access. #CVE20254660 #ForescoutSecureConnector #CounterACT

Keypoints

  • Forescout SecureConnector versions 11.1.02.1019 through 11.3.6 on Windows are vulnerable to a remote code execution (RCE) flaw identified as CVE-2025-4660.
  • The vulnerability exploits insecure permissions on the named pipe _FS_SC_UNINSTALL_PIPE allowing any network user full control access remotely.
  • An attacker with low privileges can redirect the SecureConnector agent to a rogue CounterACT server and disable certificate pinning using a null thumbprint.
  • The compromised agent becomes a command and control (C2) node, allowing execution of commands such as process listing, directory listing, file download, and arbitrary SYSTEM-level command execution.
  • Only Windows-based deployments of SecureConnector are affected; macOS and Linux versions are not impacted.
  • Forescout released a patch in version 11.3.7 which fixes the vulnerability and users are strongly advised to upgrade immediately.
  • The issue was originally disclosed in 2023 but was not widely known or publicly acknowledged until 2025, causing many environments to remain vulnerable.

MITRE Techniques

  • [T1574] Hijack Execution Flow – The attacker redirected the SecureConnector agent to a rogue server by sending a crafted redirect command over an accessible named pipe (“…Send a redirect command to the SecureConnector agent…Point the agent to a rogue CounterACT server…”).
  • [T1105] Ingress Tool Transfer – After redirection, the rogue server could transfer instructions and potentially files to the agent using a text-based XML protocol (“…The rogue server can issue commands such as…File download…”).
  • [T1059] Command and Scripting Interpreter – Arbitrary command execution as SYSTEM was possible by issuing commands through the compromised agent (“…Arbitrary command execution (as SYSTEM)…”).
  • [T1053] Scheduled Task/Job – The agent maintained a persistent connection to the rogue server for command and control (“…Establish a persistent connection with the rogue server…”).

Indicators of Compromise

  • [Named Pipe] Insecure communication channel on Windows – _FS_SC_UNINSTALL_PIPE can be accessed remotely by unauthorized users.
  • [File Version] Vulnerable software versions – SecureConnector versions 11.1.02.1019 through 11.3.6 running on Windows platforms.
  • [Server Thumbprint] Certificate thumbprint of all 00s used to bypass certificate pinning during redirection to rogue CounterACT servers.

Read more: https://www.netspi.com/blog/technical-blog/red-teaming/cve-2025-4660-forescout-secureconnector-rce/