Skip to main content
Skip table of contents

The Collector V6.27.X Release – Security Bulletin


Was noticed some security concerns for the Collector prior V6.27.1 and Nexthink Act scripts.
What are the details and impact of this?


Nexthink recommends customers to upgrade to the Collector V6.27.1.181 or never when available.
The newer versions are available for downloads or updates.

This release addresses a local privilege escalation vulnerability affecting the Collector on Windows. Details can be found in Annex 1.

Mitigating factors

This vulnerability is not related to a publicly known CVE and there is no exploitation code publicly available.
This section describes all conditions and prerequisites required by an attacker in order to successfully exploit the vulnerability:

  • Exploitation requires product-specific knowledge and custom written exploit code.

  • This vulnerability cannot be exploited remotely.

  • The attacker must be authenticated on the target system.

  • The vulnerability cannot be triggered by the attacker – they must wait for the execution of a Nexthink Act script, scheduled from Nexthink Finder.

Nexthink is making this communication available to existing customers and partners only, in order to allow our customers to respond and remediate in accordance with their internal processes. Contact Nexthink Support if you have any further questions or concerns.

Annex 1

Local Privilege Escalation through ACL issue on Windows Collectors before v6.27.1.181

Executive Summary

On Windows, an ACL issue in the directory used by the Collector to store Nexthink Act scripts
allows an attacker –in some configurations– to exploit a race condition to replace a script after
the signature verification is complete and before the script is executed. Certain Nexthink Act
scripts are executed with LocalSystem privileges.

Security Update

An update is available and affected customers are encouraged to upgrade.
See also the Affected Software section below.

Vulnerability information

The directory used by the Collector to store Nexthink Act scripts is writeable by low privileged
users. The Nexthink Act scripts themselves are randomly named and have a strong ACL so that
the file system will not allow the scripts to simply be replaced.

With additional tools and custom written exploit code, it is possible to monitor the directory for
file changes and then replace the file as a low privileged user. A few tens of milliseconds pass
between script file creation and script execution, and the attack window is a few exact
milliseconds within that time.

Affected software

  • All Windows Collector versions older than v6.27.1.181, with Nexthink Act enabled, are affected.


To remediate this vulnerability in older versions without upgrading, customers can remove
write access to the following directories from Authenticated Users, and optionally from Local
Administrators as well:

  • C:\ProgramData\Nexthink\RemoteActions\Scripts\System

  • C:\ProgramData\Nexthink\RemoteActions\Scripts\User

This can be done manually, through GPO, or using the Nexthink Act script attached to this


This vulnerability was found during a penetration test, as part of our regular security reviews.


The use of the software is subject to the terms and conditions of its applicable license
agreement and then effective documentation. This information is provided “as-is” without
a warranty of any kind.


First release

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.