CVE-2025-26155

CVE-2025-26155 is an Untrusted Search Path vulnerability (CWE-426) affecting NCP Secure Enterprise Client version 13.18 and NCP Secure Entry Windows Client version 13.19. These are Windows-based VPN clients from NCP Engineering, used for secure remote access. The vulnerability arises from the software's failure to properly validate the path of executable files or libraries, allowing execution of untrusted code from insecure locations. It received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By placing a malicious executable or DLL in a directory included in the client's search path—such as a writable location prioritized over secure paths—the attacker tricks the client into loading and executing the malicious code. Successful exploitation grants high-level access, potentially leading to full system compromise, including arbitrary code execution, data theft, modification, or denial of service on the affected Windows host.

Mitigation details are outlined in advisories from Axians and NCP Engineering. Security practitioners should consult the primary advisory at https://pentest.axians.de/viewer.html?file=cve-2025-26155/CVE-axians-eng.pdf and the vendor site at https://www.ncp-e.com/ for patching instructions, likely involving updated client versions or configuration changes to enforce trusted paths. Applying vendor patches promptly is recommended to prevent exploitation.