NetSupport Manager 0-Day Vulnerabilities Enable Remote Code Execution

Remote‑administration suites like NetSupport Manager are prized for their convenience, yet they also broaden the attack surface of operational technology networks. The software’s broadcast channel, introduced in version 14, operates outside the normal command pipeline and historically lacked authentication checks. When attackers manipulate the BC_ADD_PORT and BC_TCP_DATA commands, they can trigger integer overflows and unchecked buffer reads, turning a benign feature into a conduit for code execution. This scenario underscores how undocumented functionalities can become high‑impact vulnerabilities if not rigorously vetted.

The technical chain exploits a heap‑based out‑of‑bounds write followed by a stack‑based out‑of‑bounds read, allowing adversaries to leak memory addresses and defeat Address Space Layout Randomization. By overwriting vtable pointers, the exploit constructs a return‑oriented programming (ROP) chain that ultimately calls kernel32 APIs to spawn a remote shell. Because the broadcast commands require no credentials, any host that can reach port 5405—often permitted through internal firewalls for remote support—becomes a potential entry point. In OT settings, where network segmentation is already thin, such a foothold can enable lateral movement into PLCs, SCADA systems, and other critical assets.

Mitigation hinges on rapid patch deployment and network hardening. NetSupport’s July 2025 update enforces authentication for all broadcast interactions and adds strict parameter validation, effectively neutralizing the exploit. Organizations should prioritize upgrading to version 14.12.0000, restrict inbound traffic to port 5405, and monitor for anomalous broadcast traffic. Longer‑term, the incident highlights the need for continuous security assessments of remote‑control tools, especially those embedded in critical infrastructure, to pre‑empt similar zero‑day disclosures.