Security readout for executives and security teams
Plain-English summary
A trusted IT tool from NetSarang (Xshell, Xmanager, Xftp, Xlpd) was secretly tampered with in 2017 so that installing it placed a hidden backdoor on the computer. Attackers could remotely take control, steal data, and stay hidden. NetSarang released clean updates after Kaspersky discovered active abuse.
Executive priority
Treat as a confirmed historical supply chain breach. If NetSarang 5.0 builds were ever installed, assume potential compromise and trigger incident response, not just patching.
Technical view
Affected NetSarang 5.0 builds shipped a trojanized nssock2.dll (CWE-506) implementing a dormant, multi-stage DNS C2. It resolved DGA domains via TXT records, decrypted a payload using a key delivered over DNS, executed arbitrary code, and maintained an encrypted registry-based VFS for persistence, RCE, and exfiltration.
Likely exposure
Exposure is limited to environments that installed the specific compromised 5.0 builds (Xmanager Enterprise 1232, Xmanager 1045, Xshell 1322, Xftp 1218, Xlpd 1220) between their release and NetSarang's July 2017 fix. Admin and DevOps workstations using SSH/SFTP tooling are the typical footprint.
Exploitation context
Kaspersky confirmed exploitation in the wild in August 2017, observing the backdoor activate at a Hong Kong financial institution. The trojanized installers were signed and distributed through NetSarang's official channels, so any organization that downloaded affected builds in mid-2017 was implicitly exposed.
Researcher notes
This is the ShadowPad supply chain compromise. The malicious nssock2.dll uses a monthly DGA, retrieves a stage via DNS TXT, then deploys a modular framework with an encrypted registry-resident VFS. Hunt on outbound DNS TXT lookups from NetSarang processes, registry blobs under Software\NetSarang-related keys, and known IOCs from Kaspersky/Securelist. KEV is false, but in-the-wild use is documented.
Mitigation direction
- Upgrade to NetSarang fixed builds: Xmanager Enterprise 1236, Xmanager 1049, Xshell 1326, Xftp 1222, Xlpd 1224.
- Remove any nssock2.dll matching the malicious hashes documented by Kaspersky and NetSarang.
- Rotate credentials, SSH keys, and secrets stored or used on hosts that ran affected builds.
- Block and monitor outbound DNS to the DGA domains identified in Kaspersky's ShadowPad analysis.
- Treat affected hosts as potentially compromised and initiate forensic review per IR policy.
Validation and detection
- Inventory all hosts that installed NetSarang 5.0 builds between approximately April and August 2017.
- Compare installed nssock2.dll hashes against Kaspersky and NetSarang published indicators.
- Review historical DNS logs for TXT queries to ShadowPad DGA domains from NetSarang client hosts.
- Confirm current installs are at or above NetSarang's fixed build numbers per vendor advisory.
- Search registry hives on suspect hosts for unexpected encrypted blobs associated with the VFS.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-506: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupExecution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2017-20203 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 9.3 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N——Primary CVE scoreVulnerability scoring details
Base CVSS 4.0 score
9.3CriticalVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Source materials
- CVE List V5 sourceCVE List V5
- https://web.archive.org/web/20181022035109/https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.htmlCVE reference · vendor-advisory, patch
- https://usa.kaspersky.com/about/press-releases/shadowpad-attackers-hid-backdoor-in-software-used-by-hundreds-of-large-companies-worldwideCVE reference · technical-description
- https://securelist.com/shadowpad-in-corporate-networks/81432/CVE reference · technical-description
- https://www.vulncheck.com/advisories/netsarang-malicious-backdoor-supply-chain-compromiseCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Embedded Malicious Code
Embedded Malicious Code represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
