CVE-2025-26155
Published: 26 November 2025
Summary
CVE-2025-26155 is a critical-severity Untrusted Search Path (CWE-426) vulnerability in Ncp-E Ncp Secure Entry Client. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through vendor patching directly eliminates the untrusted search path vulnerability in the NCP VPN clients.
Requiring signed components and prohibiting execution of unsigned executables or DLLs prevents malicious code placed in untrusted search paths from loading.
Malicious code protection mechanisms scan for and block execution of malicious DLLs or executables that could be loaded via the untrusted search path.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Untrusted Search Path (CWE-426) directly enables DLL Search Order Hijacking (T1038) and Path Interception by Search Order Hijacking (T1574.008) by allowing malicious DLLs/executables in insecure directories; exploited remotely in client software for RCE (T1203).
NVD Description
NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability.
Deeper analysisAI
CVE-2025-26155 is an Untrusted Search Path vulnerability (CWE-426) affecting NCP Secure Enterprise Client version 13.18 and NCP Secure Entry Windows Client version 13.19. These are Windows-based VPN clients from NCP Engineering, used for secure remote access. The vulnerability arises from the software's failure to properly validate the path of executable files or libraries, allowing execution of untrusted code from insecure locations. It received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By placing a malicious executable or DLL in a directory included in the client's search path—such as a writable location prioritized over secure paths—the attacker tricks the client into loading and executing the malicious code. Successful exploitation grants high-level access, potentially leading to full system compromise, including arbitrary code execution, data theft, modification, or denial of service on the affected Windows host.
Mitigation details are outlined in advisories from Axians and NCP Engineering. Security practitioners should consult the primary advisory at https://pentest.axians.de/viewer.html?file=cve-2025-26155/CVE-axians-eng.pdf and the vendor site at https://www.ncp-e.com/ for patching instructions, likely involving updated client versions or configuration changes to enforce trusted paths. Applying vendor patches promptly is recommended to prevent exploitation.
Details
- CWE(s)