LiveActive security incident?Get immediate response
CVE Record

CVE-2017-20203: NetSarang v5.0 Malicious Backdoor Supply Chain Compromise

NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month‑generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017.

CriticalCVSS 9.3Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

A trusted IT tool from NetSarang (Xshell, Xmanager, Xftp, Xlpd) was secretly tampered with in 2017 so that installing it placed a hidden backdoor on the computer. Attackers could remotely take control, steal data, and stay hidden. NetSarang released clean updates after Kaspersky discovered active abuse.

Executive priority

Treat as a confirmed historical supply chain breach. If NetSarang 5.0 builds were ever installed, assume potential compromise and trigger incident response, not just patching.

Technical view

Affected NetSarang 5.0 builds shipped a trojanized nssock2.dll (CWE-506) implementing a dormant, multi-stage DNS C2. It resolved DGA domains via TXT records, decrypted a payload using a key delivered over DNS, executed arbitrary code, and maintained an encrypted registry-based VFS for persistence, RCE, and exfiltration.

Likely exposure

Exposure is limited to environments that installed the specific compromised 5.0 builds (Xmanager Enterprise 1232, Xmanager 1045, Xshell 1322, Xftp 1218, Xlpd 1220) between their release and NetSarang's July 2017 fix. Admin and DevOps workstations using SSH/SFTP tooling are the typical footprint.

Exploitation context

Kaspersky confirmed exploitation in the wild in August 2017, observing the backdoor activate at a Hong Kong financial institution. The trojanized installers were signed and distributed through NetSarang's official channels, so any organization that downloaded affected builds in mid-2017 was implicitly exposed.

Researcher notes

This is the ShadowPad supply chain compromise. The malicious nssock2.dll uses a monthly DGA, retrieves a stage via DNS TXT, then deploys a modular framework with an encrypted registry-resident VFS. Hunt on outbound DNS TXT lookups from NetSarang processes, registry blobs under Software\NetSarang-related keys, and known IOCs from Kaspersky/Securelist. KEV is false, but in-the-wild use is documented.

Mitigation direction

  • Upgrade to NetSarang fixed builds: Xmanager Enterprise 1236, Xmanager 1049, Xshell 1326, Xftp 1222, Xlpd 1224.
  • Remove any nssock2.dll matching the malicious hashes documented by Kaspersky and NetSarang.
  • Rotate credentials, SSH keys, and secrets stored or used on hosts that ran affected builds.
  • Block and monitor outbound DNS to the DGA domains identified in Kaspersky's ShadowPad analysis.
  • Treat affected hosts as potentially compromised and initiate forensic review per IR policy.

Validation and detection

  • Inventory all hosts that installed NetSarang 5.0 builds between approximately April and August 2017.
  • Compare installed nssock2.dll hashes against Kaspersky and NetSarang published indicators.
  • Review historical DNS logs for TXT queries to ShadowPad DGA domains from NetSarang client hosts.
  • Confirm current installs are at or above NetSarang's fixed build numbers per vendor advisory.
  • Search registry hives on suspect hosts for unexpected encrypted blobs associated with the VFS.
Prepared
Confidence
high
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-506: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2017-20203 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.3 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
5Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.3CVSS 4.0CriticalCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:NPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

9.3Critical
CVSS 4.0 vector shape for CVE-2017-20203Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
NetSarang Computer, Inc.Xmanager Enterprise5.0 Build 1232unaffected
NetSarang Computer, Inc.Xmanager5.0 Build 1045unaffected
NetSarang Computer, Inc.Xshell5.0 Build 1322unaffected
NetSarang Computer, Inc.Xftp5.0 Build 1218unaffected
NetSarang Computer, Inc.Xlpd5.0 Build 1220unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-506 · source CWE mapping

Embedded Malicious Code

Embedded Malicious Code represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.