CVE-2025-26155
📋 TL;DR
This CVE describes an Untrusted Search Path vulnerability in NCP VPN clients that allows attackers to execute arbitrary code by placing malicious DLLs in directories searched by the application. It affects users of NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 on Windows systems.
💻 Affected Systems
- NCP Secure Enterprise Client
- NCP Secure Entry Windows Client
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, allowing complete control over the affected machine, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation leading to administrative access on the compromised system, enabling further attacks and persistence.
If Mitigated
Limited impact if proper application whitelisting and path restrictions are enforced, preventing unauthorized DLL loading.
🎯 Exploit Status
Exploitation requires local access to the target system. Attackers need to place a malicious DLL in a directory that the application searches before legitimate system directories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for latest patched versions
Vendor Advisory: https://www.ncp-e.com/
Restart Required: Yes
Instructions:
1. Visit NCP vendor website for latest security updates. 2. Download and install the patched version. 3. Restart the system to ensure changes take effect. 4. Verify the installation was successful.
🔧 Temporary Workarounds
Restrict DLL Search Path
windowsConfigure Windows to restrict DLL search paths and prevent loading from untrusted directories
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "SafeDllSearchMode" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "CWDIllegalInDllSearch" -Value 1
Application Whitelisting
windowsImplement application control policies to prevent execution of unauthorized DLLs
🧯 If You Can't Patch
- Implement strict file system permissions to prevent users from writing to application directories
- Use endpoint detection and response (EDR) tools to monitor for DLL hijacking attempts
🔍 How to Verify
Check if Vulnerable:
Check installed version of NCP client via Control Panel > Programs and Features or using PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*NCP*"} | Select-Object Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*NCP*"} | Select-Object Name, VersionVerify Fix Applied:
Verify installed version is newer than affected versions and check vendor advisory for specific patched version numbers📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual paths
- Application errors related to missing or corrupted DLLs
- Process creation events for NCP clients with suspicious parent processes
Network Indicators:
- Unusual outbound connections from NCP client processes
- VPN connection attempts from compromised accounts
SIEM Query:
EventID=4688 AND (NewProcessName LIKE "%ncp%" OR NewProcessName LIKE "%NCP%") AND (CommandLine CONTAINS "dll" OR ParentProcessName NOT IN ("explorer.exe", "services.exe"))