Cyber Resilience

CVE-2025-26155

CriticalPublic PoC

Published: 26 November 2025

Published
26 November 2025
Modified
30 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 23.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26155 is a critical-severity Untrusted Search Path (CWE-426) vulnerability in Ncp-E Ncp Secure Entry Client. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26155 is an Untrusted Search Path vulnerability (CWE-426) affecting NCP Secure Enterprise Client version 13.18 and NCP Secure Entry Windows Client version 13.19. These are Windows-based VPN clients from NCP Engineering, used for secure remote access. The vulnerability arises from the software's failure to properly validate the path of executable files or libraries, allowing execution of untrusted code from insecure locations. It received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By placing a malicious executable or DLL in a directory included in the client's search path—such as a writable location prioritized over secure paths—the attacker tricks the client into loading and executing the malicious code. Successful exploitation grants high-level access, potentially leading to full system compromise, including arbitrary code execution, data theft, modification, or denial of service on the affected Windows host.

Mitigation details are outlined in advisories from Axians and NCP Engineering. Security practitioners should consult the primary advisory at https://pentest.axians.de/viewer.html?file=cve-2025-26155/CVE-axians-eng.pdf and the vendor site at https://www.ncp-e.com/ for patching instructions, likely involving updated client versions or configuration changes to enforce trusted paths. Applying vendor patches promptly is recommended to prevent exploitation.

EU & UK References

Vulnerability details

NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.001 DLL Stealth
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
T1574.008 Path Interception by Search Order Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Untrusted Search Path (CWE-426) directly enables DLL Search Order Hijacking (T1038) and Path Interception by Search Order Hijacking (T1574.008) by allowing malicious DLLs/executables in insecure directories; exploited remotely in client software for RCE (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25880Shared CWE-426
CVE-2025-27167Shared CWE-426
CVE-2026-25926Shared CWE-426
CVE-2026-32009Shared CWE-426
CVE-2025-1068Shared CWE-426
CVE-2026-21280Shared CWE-426
CVE-2026-30906Shared CWE-426
CVE-2026-23512Shared CWE-426
CVE-2022-4987Shared CWE-426
CVE-2025-21399Shared CWE-426

Affected Assets

ncp-e
ncp secure entry client
13.19
ncp-e
secure enterprise client
13.18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through vendor patching directly eliminates the untrusted search path vulnerability in the NCP VPN clients.

prevent

Requiring signed components and prohibiting execution of unsigned executables or DLLs prevents malicious code placed in untrusted search paths from loading.

preventdetect

Malicious code protection mechanisms scan for and block execution of malicious DLLs or executables that could be loaded via the untrusted search path.

References