Low

Rejected CVE for NetSarang ShadowPad Supply-Chain Backdoor

IdentifiersCVE-2025-34252CWE-506

CVE-2025-34252 is a rejected CVE record. According to the provided content, this identifier was withdrawn by the CNA and reassigned to CVE-2017-20203 so that the CVE year matches the 2017 public disclosure. The underlying issue was a supply-chain compromise affecting NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220, in which a malicious nssock2.dll was distributed with the software. That DLL implemented a multi-stage DNS-based backdoor that queried attacker-controlled infrastructure via crafted TXT records, obtained a decryption key, downloaded and executed arbitrary code, and maintained persistence using an encrypted virtual file system stored in the Windows registry. The associated weakness is described as embedded malicious code.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation of the compromised NetSarang builds provides attackers with remote code execution on affected systems, persistent access via registry-resident encrypted storage, and the ability to exfiltrate data. Because this was a trojanized software distribution issue, impact occurs in the context of installing or running the affected builds rather than exploiting a conventional memory-safety or logic flaw.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade or replacement is not possible, isolate systems running the affected NetSarang builds, prevent outbound DNS communication to untrusted or anomalous domains, monitor for suspicious TXT-record-based DNS activity, and inspect installations for the presence of the malicious nssock2.dll. Review Windows registry locations for persistence artifacts associated with the encrypted virtual file system described in the content, and perform incident response on any host where the trojanized software was installed or executed.

Remediation

Patch, then assume compromise.

Do not track or remediate this issue under CVE-2025-34252, because the record is rejected. Use the reassigned identifier CVE-2017-20203 for vulnerability management and reporting. Replace affected NetSarang builds with remediated versions identified in the provided content: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Remove the malicious nssock2.dll from affected installations and investigate hosts for secondary payloads, persistence artifacts, and registry-resident data created by the backdoor.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cvefeed high severityNews

Oct 7, 2025

CVE-2025-34252 - NetSarang v5.0 Malicious Backdoor Supply Chain Compromise

A critical supply-chain compromise in multiple NetSarang v5.0 products involving a malicious nssock2.dll backdoor that enables DNS-based command-and-control, arbitrary code execution, persistence, and data exfiltration.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5