Vulnerabilities ›

CVE-2019-25281

High

CWE-428 — Weakness Type

                    Published: Feb 5, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

NCP Secure Entry Client 9.2 contains an unquoted service path vulnerability in multiple Windows services that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted paths in services like ncprwsnt, rwsrsu, ncpclcfg, and NcpSec to inject malicious code that would execute with LocalSystem privileges during service startup.

🤖 AI Executive Summary

CVE-2019-25281 is a local privilege escalation vulnerability in NCP Secure Entry Client 9.2 affecting multiple Windows services with unquoted paths. Attackers with local access can inject malicious executables to achieve arbitrary code execution with LocalSystem privileges. This vulnerability poses significant risk to organizations using NCP for secure remote access, particularly in Saudi banking and government sectors relying on this solution for VPN connectivity.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 27, 2026 03:08

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi organizations in Banking (SAMA-regulated institutions), Government agencies (NCA, Ministry of Interior), and Energy sector (ARAMCO, oil & gas companies) that deploy NCP Secure Entry Client for secure remote access and VPN connectivity. The LocalSystem privilege escalation could allow attackers to compromise critical infrastructure, access sensitive financial data, government communications, and operational technology systems. Telecom operators (STC, Mobily) using NCP for secure management access are also at risk. The vulnerability requires local access, limiting exposure but creating insider threat risks in organizations with inadequate endpoint security controls.

🏢 Affected Saudi Sectors

Banking & Financial Services Government & Public Administration Energy & Oil & Gas Telecommunications Healthcare Defense & Security

🎯 MITRE ATT&CK Techniques

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.011 - Boot or Logon Autostart Execution: Services T1134.003 - Access Token Manipulation: Make and Impersonate Token T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking T1036.003 - Masquerading: Rename System Utilities T1053.005 - Scheduled Task/Job: Scheduled Task T1611 - Escape to Host

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all systems running NCP Secure Entry Client 9.2 across your organization

2. Restrict local access to systems running vulnerable NCP services through Group Policy and access controls

3. Implement application whitelisting to prevent unauthorized executable injection

4. Enable Windows Service hardening and restrict service startup permissions



Patching Guidance:

1. Upgrade NCP Secure Entry Client to version 9.3 or later immediately

2. Apply vendor security patches as released by NCP

3. Verify service paths are properly quoted after patching

4. Test patches in non-production environments before enterprise deployment



Compensating Controls (if patching delayed):

1. Implement file integrity monitoring on service executable directories

2. Deploy endpoint detection and response (EDR) solutions to detect suspicious service modifications

3. Use Windows AppLocker to restrict execution in service directories

4. Monitor Windows Event Viewer for service startup anomalies (Event ID 7045)

5. Implement principle of least privilege for user accounts



Detection Rules:

1. Monitor for file creation in service directories (C:\Program Files\NCP*) by non-system accounts

2. Alert on service startup failures followed by successful execution of unexpected binaries

3. Track modifications to service registry keys (HKLM\SYSTEM\CurrentControlSet\Services\)

4. Monitor process execution with LocalSystem privileges from unusual paths

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع الأنظمة التي تقوم بتشغيل عميل NCP Secure Entry الإصدار 9.2 عبر مؤسستك

2. تقييد الوصول المحلي للأنظمة التي تقوم بتشغيل خدمات NCP الضعيفة من خلال Group Policy وعناصر التحكم في الوصول

3. تنفيذ قائمة بيضاء للتطبيقات لمنع حقن الملفات التنفيذية غير المصرح بها

4. تفعيل تقسية خدمات Windows وتقييد أذونات بدء الخدمة

إرشادات التصحيح:

1. ترقية عميل NCP Secure Entry إلى الإصدار 9.3 أو أحدث على الفور

2. تطبيق تصحيحات الأمان من البائع حسب الإصدار

3. التحقق من أن مسارات الخدمة محاطة بعلامات اقتباس بشكل صحيح بعد التصحيح

4. اختبار التصحيحات في بيئات غير الإنتاج قبل نشرها على مستوى المؤسسة

عناصر التحكم البديلة (إذا تأخر التصحيح):

1. تنفيذ مراقبة سلامة الملفات على أدلة الخدمات التنفيذية

2. نشر حلول الكشف والاستجابة على نقاط النهاية (EDR)

3. استخدام Windows AppLocker لتقييد التنفيذ في أدلة الخدمات

4. مراقبة Windows Event Viewer للكشف عن شذوذ بدء الخدمة

5. تنفيذ مبدأ أقل امتياز للحسابات

قواعد الكشف:

1. مراقبة إنشاء الملفات في أدلة الخدمات من قبل حسابات غير النظام

2. التنبيه على فشل بدء الخدمة متبوعاً بتنفيذ ملفات ثنائية غير متوقعة

3. تتبع التعديلات على مفاتيح سجل الخدمة

4. مراقبة تنفيذ العمليات بامتيازات LocalSystem من مسارات غير عادية

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information security policies and procedures A.5.2.1 - User access management A.5.2.2 - Privileged access rights A.5.2.3 - User access review A.5.3.1 - Password management A.5.4.1 - Access control implementation A.5.4.2 - Segregation of duties A.6.1.1 - Cryptographic controls A.6.2.1 - Physical and logical access controls

🔵 SAMA CSF

Governance & Risk Management - Risk Assessment and Management Information & Cybersecurity - Access Control and Authentication Information & Cybersecurity - Endpoint Protection Operational Resilience - Incident Management Operational Resilience - Business Continuity

🟡 ISO 27001:2022

5.3 - Segregation of duties 5.15 - Access control 5.16 - Identification and authentication 5.17 - Access rights 5.18 - Information security in supplier relationships 6.5 - Control of operational change 8.1 - Operational planning and control 8.3 - Protection from malware

🟣 PCI DSS v4.0.1

Requirement 1.1 - Firewall configuration standards Requirement 2.1 - Default security parameters Requirement 2.2.4 - Configure system security parameters Requirement 6.2 - Security patches and updates Requirement 7 - Restrict access to data Requirement 8.1 - User identification and authentication

🔗 References & Sources 3

🔗

http://software.ncp-e.com/

disclosure@vulncheck.com

🔗

https://www.exploit-db.com/exploits/47668

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/ncpsecureentryclient-unquoted-service-paths

disclosure@vulncheck.com

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-428

EPSS0.01%

Exploit No

Patch ✓ Yes

Published 2026-02-05

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-428

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2019-25281

💬 Comments

Introduce Yourself

Sign In Required