CVE-2025-4660 (CVSS 8.7) in Forescout SecureConnector Allows Remote Endpoint Hijack, PoC Publishes
Ddos 
NetSPI has uncovered a critical vulnerability in Forescout SecureConnector, a security agent meant to enforce endpoint compliance. This same toolβdesigned for system hardeningβcould be abused by attackers to hijack machines remotely. Tracked as CVE-2025-4660, the bug received a CVSSv4 base score of 8.7 and affects SecureConnector versions 11.1.02.1019 through 11.3.6 on Windows.
βIronically, in versions 11.1.02.1019 through 11.3.6 on Windows, it can be turned into a remote attackerβs best friend,β the report notes.
The vulnerability lies in how the SecureConnector agent uses a named pipe called _FS_SC_UNINSTALL_PIPE for inter-process communication. Shockingly, this pipe was configured with remote access rights granted to the ‘Everyone’ group, giving any user on the network full control.
βThis allowed a low-privileged attacker toβ¦ send a redirect command to the SecureConnector agentβ¦ and point the agent to a rogue CounterACT server,β the report explains.
In short, an attacker could:
- Connect to the named pipe remotely.
- Redirect the agent to an attacker-controlled server.
- Bypass certificate pinning by supplying a thumbprint of all zeros.
- Execute arbitrary commands on the endpoint as SYSTEM.
SecureConnector communicates with its backend CounterACT server using binary RPC commands over the named pipe, followed by a length-prefixed, XML-based protocol. A key function allows redirection to a new server, and attackers can manipulate it by:
- Supplying a fake host and port.
- Bypassing TLS certificate checks with a null thumbprint.
- Establishing a rogue command-and-control (C2) session.
Once redirected, the rogue server can send commands such as:
- Process and directory listing
- File downloads
- Full command execution as SYSTEM
Administrators can also reference NetSPIβs GitHub page for proof-of-concept details.
According to NetSPI, only Windows deployments of SecureConnector are vulnerable. Linux and macOS versions of the agent are not affected.
Forescout has released a patch in version 11.3.7 of SecureConnector. All organizations using affected versions are urged to upgrade immediately.
Related Posts:
- NetSPI Details Multiple Local Privilege Escalation Vulnerabilities in SonicWall NetExtender
- Unmasking Sandworm: Forescout’s Analysis of Danish and Ukrainian Energy Cyberattacks
- Vulnerabilities in Solar Power Systems Threaten Power Grids
- “Connect:fun” Campaign Targets Media Organizations, Exploits Critical Fortinet Vulnerability
- Android system is also affected by Linux kernel Dirty Pipe flaw, Google is fixing it
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
