Quest KACE Desktop Authority exposes a SYSTEM-owned named pipe (.pipeScriptLogic_Server_NamedPipe_9300) that accepts connections from any authenticated domain user and implements a custom MFC CArchive-based IPC protocol allowing remote privileged operations. The protocol supports AdminExec, DllInjection, Credentials retrieval, InvokeCOM and other dangerous actions that enable remote code execution and credential exposure; apply vendor patches or firewall/segmentation mitigations. #QuestKACE #CVE-2025-67813
Keypoints
- The Desktop Authority agent creates a SYSTEM-owned named pipe (.pipeScriptLogic_Server_NamedPipe_9300) that is accessible remotely over SMB by authenticated domain users if permissions are not properly restricted.
- The IPC protocol uses MFC CArchive serialization (CString and VARIANT formats), enabling structured RPC messages that specify operations like RpcName, Command, and DllInjectPid.
- Supported operations include AdminExec (arbitrary command execution as local admin), DllInjection (inject arbitrary DLLs, including via UNC paths), Credentials (returns plaintext service account credentials), ImpersonateAdmin (token impersonation), and InvokeCOM (invoke elevated COM methods).
- Attackers can achieve remote code execution as local administrators from any domain-joined machine by connecting to the named pipe and sending crafted messages or using the provided SLAgentTool examples.
- The vulnerability was reported to Quest, tracked as CVE-2025-67813, and addressed in vendor updates and a Quest KB article (4381743); mitigations include patching, firewalling SMB/445, network segmentation, disabling the agent where unused, and monitoring pipe access.
- Because the product uses a just-in-time admin pattern and returns plaintext service account credentials, a single compromise can facilitate lateral movement, credential reuse, and persistent privilege escalation across managed endpoints.
MITRE Techniques
- [T1021.002 ] SMB/Windows Admin Shares – The named pipe can be accessed over SMB allowing remote authenticated users to connect to the service. [‘Named pipes on Windows can be accessed over SMB, meaning any authenticated user within the domain can connect to the pipe on remote hosts if permissions are not setup correctly.’]
- [T1059 ] Command and Scripting Interpreter – AdminExec enables arbitrary command execution as a local administrator by sending commands via the RPC. [‘The AdminExec operation allows arbitrary command execution as a local administrator.’]
- [T1055 ] Process Injection – DllInjection injects an arbitrary DLL into a specified process, supporting UNC paths so an attacker can host payloads on an SMB share. [‘The DllInjection operation injects an arbitrary DLL into a specified process… The DLL path can be a UNC path, meaning you can host a malicious DLL on an SMB share and have the SYSTEM service inject it into any process on the target host.’]
- [T1134 ] Access Token Manipulation – The service’s JIT admin pattern and the ImpersonateAdmin RPC allow creation and use of elevated tokens and impersonation of administrative tokens. [‘the service temporarily adds this user to the local Administrators group, generates a token, and then removes the user from the group. The token persists with administrative privileges even after group membership is revoked.’; ‘By providing a handle to your current thread, the service will impersonate an administrative token on your behalf.’]
- [T1552 ] Unsecured Credentials – The Credentials RPC returns plaintext username and password for the service account, exposing domain credentials used for privileged operations. [‘The Credentials RPC call returns the username and password for this service account in plaintext.’]
- [T1078 ] Valid Accounts – Any authenticated domain user can authenticate to the named pipe and leverage the exposed functionality to gain elevated execution on agent hosts. [‘Any authenticated user on the network can achieve remote code execution as a local administrator on hosts running the Desktop Authority agent.’]
Indicators of Compromise
- [Named Pipe ] Remote-accessible IPC endpoints – .pipeScriptLogic_Server_NamedPipe_9300, .pipeScriptLogic_Client_NamedPipe_9300
- [Executable ] Tool and agent binaries observed in examples – SLAgentTool.exe (exploit/tool example), Desktop Authority agent service binary (agent executable not explicitly named)
- [UNC Path ] Attacker-hosted payload paths used for DLL injection – attackersharepayload.dll
- [CVE / KB ] Tracking and vendor references – CVE-2025-67813, Quest KB: 4381743 (Quest KACE Desktop Authority Insecure Named Pipe Permissions)
- [Domain / Hostnames ] Example targets used in PoC commands – target.domain.local, and example command artifacts such as output file c:pwned.txt