CVE-2025-4660
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on Windows systems running the vulnerable SecureConnector agent. Attackers can connect to an improperly secured named pipe and redirect the agent to a malicious server that issues commands. Only Windows versions of SecureConnector are affected.
💻 Affected Systems
- SecureConnector Windows Agent
📦 What is this software?
Secureconnector by Forescout
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to install malware, steal data, pivot to other systems, or deploy ransomware across the network.
Likely Case
Initial foothold leading to lateral movement, credential theft, and deployment of additional payloads within the network.
If Mitigated
Limited impact with proper network segmentation and access controls preventing unauthorized network connections to the named pipe.
🎯 Exploit Status
Exploitation requires network access to the vulnerable system but no authentication. The CVSS score of 9.8 indicates high severity and ease of exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://forescout.my.site.com/support/s/article/
Restart Required: Yes
Instructions:
1. Review the vendor advisory at the provided URL
2. Download and install the patched version of SecureConnector Windows Agent
3. Restart the SecureConnector service or reboot the system as required
🔧 Temporary Workarounds
Restrict Named Pipe Access
windowsModify the named pipe permissions to remove Everyone group access and restrict to authorized users only
Use Windows security tools or PowerShell to modify the named pipe DACL: Set-SecurityDescriptor -Name \\.\pipe\SecureConnectorPipe -RemoveAccessRule "Everyone" -AddAccessRule "Authenticated Users:Read" (example command - verify exact pipe name)
Network Segmentation
windowsImplement network controls to restrict access to the named pipe from unauthorized network segments
Configure firewall rules to block inbound connections to TCP port 445 (SMB) and other relevant ports from untrusted networks
Use Windows Firewall: New-NetFirewallRule -DisplayName "Block SecureConnector Pipe" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems running vulnerable SecureConnector agents from untrusted networks
- Deploy host-based firewall rules to block all inbound connections to the named pipe except from authorized management systems
🔍 How to Verify
Check if Vulnerable:
Check if the SecureConnector Windows Agent is running and verify the named pipe permissions using PowerShell: Get-ChildItem \\.\pipe\ | Where-Object {$_.Name -like '*SecureConnector*'} | Get-AclCheck Version:
Check SecureConnector agent version through the agent interface or Windows Services: sc query SecureConnectorAgentVerify Fix Applied:
Verify the patched version is installed and check that the named pipe no longer has Everyone group permissions allowing remote access📡 Detection & Monitoring
Log Indicators:
- Unusual named pipe connection attempts in Windows security logs (Event ID 5145)
- Unexpected SecureConnector agent communication with unfamiliar IP addresses
- Process creation events from SecureConnector agent spawning unusual child processes
Network Indicators:
- Unexpected SMB/named pipe traffic to SecureConnector systems from unauthorized sources
- Network connections to the SecureConnector named pipe from non-management systems
SIEM Query:
source="windows_security" EventID=5145 ObjectName="*SecureConnector*" | stats count by SourceAddress, DestinationAddress