The Collector V6.27.x release


Was noticed some security concerns for the Collector prior V6.27.1 and Nexthink Act scripts. What are the details and impact of this?


Nexthink recommends customers upgrade to the Collector V6.27.1.181 or newer when available. The newer versions are available for downloads or updates.

This release addresses a local privilege escalation vulnerability affecting the Collector on Windows. Details can be found in Annex 1.

Mitigating factors

This vulnerability is not related to a publicly known CVE and there is no exploitation code publicly available. This section describes all conditions and prerequisites required by an attacker in order to successfully exploit the vulnerability:

  • Exploitation requires product-specific knowledge and custom written exploit code.

  • This vulnerability cannot be exploited remotely.

  • The attacker must be authenticated on the target system.

  • The vulnerability cannot be triggered by the attacker – they must wait for the execution of a Nexthink Act script, scheduled from Nexthink Finder.

Nexthink is making this communication available to existing customers and partners only, in order to allow our customers to respond and remediate in accordance with their internal processes. Contact Nexthink Support if you have any further questions or concerns.

Annex 1

Local Privilege Escalation through ACL issue on Windows Collectors before v6.27.1.181

Executive Summary

On Windows, an ACL issue in the directory used by the Collector to store Nexthink Act scripts allows an attacker, in some configurations, to exploit a race condition to replace a script after the signature verification is complete and before the script is executed. Certain Nexthink Act scripts are executed with LocalSystem privileges.

Security Update

An update is available and affected customers are encouraged to upgrade. Refer to the Affected Software section below.

Vulnerability information

The directory used by the Collector to store Nexthink Act scripts is writeable by low privileged users. The Nexthink Act scripts themselves are randomly named and have a strong ACL so that the file system will not allow the scripts to simply be replaced.

With additional tools and custom written exploit code, it is possible to monitor the directory for file changes and then replace the file as a low privileged user. A few tens of milliseconds pass between script file creation and script execution. The attack window is a few exact milliseconds within that time.

Affected software

  • All Windows Collector versions older than v6.27.1.181, with Nexthink Act enabled, are affected.


To remediate this vulnerability in older versions without upgrading, customers can remove write access to the following directories from Authenticated Users and optionally from Local Administrators as well:

  • C:\ProgramData\Nexthink\RemoteActions\Scripts\System

  • C:\ProgramData\Nexthink\RemoteActions\Scripts\User

This can be done manually, through GPO, or using the Nexthink Act script attached to this article.


This vulnerability was found during a penetration test, as part of our regular security reviews.


The use of the software is subject to the terms and conditions of its applicable license agreement and then effective documentation. This information is provided “as-is” without a warranty of any kind.


First release

Last updated