A privilege escalation vulnerability has been identified in NetBT e-Fatura, a widely used electronic invoicing solution in Turkey.
Tracked as CVE-2025-14018 and classified under CWE-428 (Unquoted Search Path or Element), the flaw exists in the InboxProcessor Windows service. Because the service's binary path is not properly quoted, a local attacker with limited privileges can place a malicious executable in a specific directory and achieve SYSTEM-level access when the service starts.
Technical Details
The service has a reference to an executable in the following path:
C:\inetpub\wwwroot\InboxProcessor\Netbt.Inbox.Process.exe
Due to the path not being in quotes and having spaces in it, Windows will perform multiple searches for the executable in these locations:
1. C:\inetpub\wwwroot\InboxProcessor\Netbt.Inbox.exe
2. C:\inetpub\wwwroot\InboxProcessor\Netbt.exe
3. etc.
The directory C:\inetpub\wwwroot\InboxProcessor\ gives write permission to the BUILTIN\Users group, this allows low level users to write a malicious executable which will be run as SYSTEM anytime the service is restarted.
Impact
An attacker who is able to exploit this vulnerability can use this to do the following:
1. Gain SYSTEM rights from a normal user
2. Install permanent malware
3. Modify or gain access to sensitive files on the system
4. Potentially take over the server
The Security Researcher Seccops found this vulnerability through testing on a Windows Server 2019 running NetBT e-Fatura version 2024.
Recommendations
If your organization uses NetBT e-Fatura:
1. Quickly apply the vendor's most recent security patch.
2. If a patch cannot be applied immediately, there are two options:
a. Copy the windows registry service path references, or
b. Deny the Users group permission to write in the C:\inetpub\wwwroot\InboxProcessor\ directory.
3. Frequently use tools such as accesschk or PowerShell scripts to audit Windows services for unquoted paths.
4. Watch out for suspicious files that appear in service directories.
The vulnerability described above is an example of how a small configuration error in third-party software can create a major risk of escalating privileges on Windows systems. If you're running your e-fatura solution on a server that stores sensitive financial or tax-related information, this update is critical for your organization.
Stay secure: Always verify that services running as SYSTEM have properly quoted paths and minimal permissions on their installation directories.
Source: Exploit DB
