NetSPI Details Multiple Local Privilege Escalation Vulnerabilities in SonicWall NetExtender

In a detailed investigation, NetSPI security researchers have uncovered multiple high-risk local privilege escalation (LPE) vulnerabilities in SonicWall’s NetExtender VPN client for Windows, tracked as CVE-2025-23009 and CVE-2025-23010. These flaws could allow a low-privileged user to gain SYSTEM-level access or disrupt services via arbitrary file deletion and overwrite primitives.

The vulnerability hunt was initiated during a host-based penetration test of a hardened Windows 11 24H2 system where SonicWall NetExtender 10.3.1 was installed. A previous related bug (CVE-2025-23007) had been reported, prompting NetSPI to further reverse engineer and inspect file operation logic within the application.

“NetSPI sought to identify the root cause of this issue and audit the software for further similar vulnerabilities,” the researchers noted.

• CVE-2025-23009 – Arbitrary SYSTEM File Delete

Through clever use of NTFS junctions and pseudo-symlinks created using tools from Google Project Zero, NetSPI demonstrated that attackers can trick NEService.exe—running with SYSTEM privileges—into deleting protected files.

For example:

CreateSymlink.exe C:\ProgramData\SonicWall\NxCredentialProvider\prelogon.v2.disabled C:\Windows\System32\drivers\etc\hosts

After triggering the vulnerable saveProperties action through a named pipe, researchers observed SYSTEM-level file deletion.

“We have the ability to perform arbitrary file deletes as SYSTEM,” the blog confirms.

• CVE-2025-23010 – Arbitrary File Overwrite

A separate vulnerability was identified that allowed arbitrary file overwrite, which could be used to corrupt configurations or deny service.

NetSPI developed three reliable local privilege escalation exploits by combining delete primitives with Windows MSI rollback techniques, as previously described by the Zero Day Initiative:

• Via clearCapturedPacket
• Via saveCapturedPacket
• Via saveProperties

Although exploit code was not publicly released, the report offers enough details for defenders to understand the risk.

“Weaponized exploits will not be made available and are left as an exercise to the reader,” NetSPI stated.

Using a crafted JSON payload, the researchers could exploit the exportLogs feature via a .NET-invoked named pipe without any GUI interaction:

{ 
  "action": "exportLogs", 
  "source": "\\\\.\\pipe\\NEPipeStClient", 
  "data": { 
    "path": "C:\\users\\lowpriv\\Downloads\NetExtender-20250403154755", 
     "guiLog": "" 
  } 
} 

This was then sent directly to NEPipeSMAVpnPipe, the named pipe exposed by NEService.exe, to exploit SYSTEM-level operations:

“At a very high level, VpnSendMessageOnPipe() connects to the NEPipeSMAVpnPipe and passes in our JSON object,” the authors explained.

SonicWall has issued a patch in NetExtender for Windows version 10.3.2, released on April 9, 2025. Organizations using earlier versions are strongly urged to upgrade immediately.

Related Posts:

• SonicWall Patches Multi Vulnerabilities in NetExtender VPN Client
• From CVE to PoC: A Collection Maps Windows Privilege Escalation Landscape
• Leaked Handles Finder: Leaked Windows processes handles identification tool
• Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update