Local Privilege Escalation in NetBT e‑Fatura (CVE‑2025‑14018) Threatens Windows Server 2019 Deployments
What Happened — A CWE‑428 unquoted search‑path flaw (CVE‑2025‑14018) in NetBT e‑Fatura allows any local, non‑privileged Windows user to execute arbitrary code as SYSTEM. The vulnerability was publicly disclosed on Exploit‑DB (EDB‑ID 52509) with a working PoC that hijacks the InboxProcessor service binary path.
Why It Matters for TPRM —
- Attackers who gain a foothold on a compromised host can pivot to full domain control, jeopardizing all downstream third‑party services.
- The flaw is exploitable without network access, making it a high‑impact risk for any vendor that runs the e‑Fatura web‑app on Windows Server 2019 or similar environments.
- Unpatched instances can be leveraged for ransomware deployment, data exfiltration, or supply‑chain compromise affecting your own organization.
Who Is Affected — Financial services, accounting SaaS, and any enterprise that integrates NetBT e‑Fatura (ERP/Invoice processing) on Windows Server 2019 or later.
Recommended Actions —
- Verify whether the NetBT e‑Fatura component is in use across your vendor ecosystem.
- Ensure the service binary path is quoted or relocate the executable to a directory without write permissions for non‑admin users.
- Apply any vendor‑issued patches; if none exist, mitigate by restricting local logon rights and employing application‑whitelisting.
Technical Notes — The vulnerability stems from an unquoted service path (C:\inetpub\wwwroot\InboxProcessor\Netbt.Inbox.Process.exe). A low‑privilege user can place a malicious executable named C:\inetpub\wwwroot\InboxProcessor\Netbt.Inbox.Process.exe earlier in the search order, causing the Service Control Manager to launch the attacker‑controlled binary as LocalSystem. No CVE‑specific patch was listed at the time of disclosure. Source: Exploit‑DB 52509