(information graciously allowed for republication from Galactic Advisors )
Two vulnerabilities have been identified in RapidFire Tools Network Detective, a system assessment and reporting tool developed by Kaseya (RapidFire Tools). These issues significantly compromise the confidentiality and integrity of credentials gathered and processed during routine network scans, exposing sensitive data to both local attackers and potentially malicious insiders.
During its normal operation, Network Detective saves usernames and passwords in plain, readable text across several temporary files. These files are stored locally on the device and are not protected or hidden. In many cases, the credentials collected include privileged or administrative accounts, such as those used for VMware.
An attacker who gains access to the machine running the scan—whether physically, remotely, or through malware—can easily retrieve these passwords without needing to decrypt anything. This presents a serious risk to client infrastructure, especially when those credentials are reused or provide broad system access.
RapidFire Tools Network Detective uses a flawed method to encrypt passwords and other sensitive data during network scans. The encryption process is based on static, built-in values, which means it produces the same result every time for the same input. This makes it possible for anyone with access to the tool or encrypted data to easily reverse the encryption and retrieve original passwords.
This weakness puts client environments at risk, especially since the encrypted data often includes administrative credentials. The encryption does not follow modern security standards, and attackers do not need special tools or expertise to break it—only access to the files or application.
Network Detective, a product developed by RapidFire Tools (a Kaseya company), is designed to scan networks for vulnerabilities, misconfigurations, and compliance issues. It is used by managed service providers (MSPs), IT consultants, and internal IT departments to assess network health and generate reports. While commonly deployed as a standalone binary for one-off scans—often during sales or onboarding—Network Detective also supports scheduled, recurring scans in installed environments.
The application is typically configured via a step-by-step wizard, prompting users to define targets (e.g., IP ranges), scan types (e.g., HIPAA, PCI), and credentials for services such as Active Directory or VMware. This configuration is stored locally and reused for automated scans. Notably, the same binaries are used for both ad hoc and scheduled executions, meaning any vulnerabilities affect both deployment models equally.
Due to its ease of use and deep network visibility, the tool is often run with elevated privileges across production systems. Users implicitly trust the application to securely handle credentials and sensitive data. However, the issues discovered occur under default conditions, without requiring misuse or advanced manipulation—highlighting a significant risk for environments relying on the tool for security posture validation.
            
          
              
            
              CVE-2025-32353
              
            
CVSS 3.1 Score: 8.2
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
          
RapidFire Tools Network Detective stores user-supplied credentials in cleartext across multiple temporary files generated during scanning and data collection activities. These credentials, which may include VMware usernames and passwords (often with administrative access), are written directly into plaintext files without obfuscation or access controls.
These files are stored in the following default path:
%programfiles%\NetworkDetective\DataCollector\bin\tmp\ndc
            
%AppData%\Local\Temp\
          
The vulnerability occurs silently during normal tool operation. There is no warning or documentation from Kaseya advising users not to enter administrative credentials, and no indication that these values are stored insecurely.
             Screenshot 1.1 – collection.txt showing cleartext password
Screenshot 1.1 – collection.txt showing cleartext password
          
An attacker with access to the host running Network Detective can retrieve cleartext administrative credentials from the local file system. This enables lateral movement, privilege escalation, and further compromise of the scanned infrastructure. In many cases, credentials may belong to sensitive environments such as VMware ESXi, exposing core infrastructure.
             Screenshot 1.2 – Kaseya Help Article via 
            https://helpdesk.kaseya.com/
Screenshot 1.2 – Kaseya Help Article via 
            https://helpdesk.kaseya.com/
            
          
            
              
            
              
                CVE-2025-32874
            
CVSS 3.1 Score: 7.5
AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 
          
A cryptographic implementation flaw exists in RapidFire Tools Network Detective, where password encryption is performed using a deterministic, static approach. The application includes multiple methods that derive encryption keys and IVs from hardcoded values and static salts, producing predictable and reversible ciphertext.
These flawed routines fall into two groups: one set labeled as FIPS-compliant and another as non-FIPS. Regardless of the classification, both use fixed derivation schemes that result in the same encrypted output for identical plaintext inputs, allowing for trivial decryption.
As a result, any password or sensitive value encrypted using these routines is vulnerable to reversal, even without access to the original plaintext, due to the absence of proper randomness, key separation, or encryption authentication.
             
          
Screenshot 2.1 – Encryption Key within binary
             
          
Screenshot 2.2 – Encrypt function, including static salt, non-FIPS
             
          
Screenshot 2.3 - Encrypt function, including static salt, FIPS
Note both FIPS and non-FIP functions are identical, and the FIPS challenge is also stored in the same binary:
             
          
Screenshot 2.4 – FIPS key
            
          
Additionally, since all information required to decrypt passwords in logfiles is present on the system (see Finding 1), attackers can easily obtain credentials stored in log files.
             
          
Screenshot 2.5 – Decrypting passwords stored in collection.txt
            
          
Also of note is the salt value, which is “Ivan Medvedev” commonly found in malicious and non-malicious encryption/decryption salt functions. This salt function can be seen either as ASCII, or converted to bytes, including here: https://stackoverflow.com/questions/10168240/encrypting-decrypting-a-string-in-c-sharp/27484425#27484425
            
          
Kaseya has updated the RapidFire Tools binary based on the research.
            
          
Galactic Advisors  
340 Harrison St
Nashville, TN 37219
(615) 928-2323
          
Galactic Advisors is a cybersecurity firm dedicated to reducing liability for MSPs through security research, proactive assessments, and incident response.
            
https://galacticadvisors.com
[email protected]  
          
Principal Security Advisor – Security Research Team
Cody Kretsinger
            [email protected]
          
            
          
            
          
As always, made with ❤️ & 🍻
A special thanks to ab1ff, zugzwang, and everyone else who helped me throughout this process. I couldn't have done it without you.
            
          
-Cody