What is the CVSS score of CVE-2025-14018?

CVE-2025-14018 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.2%.

Which versions of e-Fatura are affected by CVE-2025-14018?

NetBT Consulting Services e-Fatura versions prior to 1.2.15 contain a privilege escalation vulnerability that allows authenticated users with limited system access to gain full administrative…

Is there a public PoC exploit available for CVE-2025-14018?

Yes, a public proof-of-concept exploit is available for CVE-2025-14018. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2025-14018?

Within 24 hours: Audit all systems for e-Fatura deployments and identify which installations run versions below 1.2.15. Within 7 days: Implement interim controls-restrict e-Fatura user access to administrative personnel only; audit and correct Windows registry to quote all service paths (remove unquoted path vulnerability); enable Windows Event ID 4688 (process creation) logging. Within 30 days: Monitor vendor security advisories for release of e-Fatura 1.2.15 or later; coordinate and execute upgrade across all affected systems; validate remediation through process execution testing.

e-Fatura CVE-2025-14018

HIGH

Unquoted Search Path or Element (CWE-428)

2025-12-22 iletisim@usom.gov.tr

Information Disclosure

7.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.3 HIGH

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Jun 04, 2026 - 07:36 vuln.today

DescriptionCVE.org

Unquoted Search Path or Element vulnerability in NetBT Consulting Services Inc. E-Fatura allows Leveraging/Manipulating Configuration File Search Paths, Redirect Access to Libraries.

This issue affects e-Fatura: before 1.2.15.

AnalysisAI

Local privilege escalation in NetBT Consulting Services e-Fatura versions prior to 1.2.15 allows authenticated low-privileged users to leverage an unquoted Windows service path to execute arbitrary code with elevated privileges. Publicly available exploit code exists (Exploit-DB 52509), though EPSS scoring (0.20%, 42nd percentile) suggests limited widespread exploitation, and the issue is not currently listed in CISA KEV.

Technical ContextAI

The vulnerability is rooted in CWE-428 (Unquoted Search Path or Element), a classic Windows misconfiguration where a service or scheduled task is installed with an unquoted file path containing spaces (e.g., C:\Program Files\NetBT\e-Fatura\service.exe). When Windows parses such paths, it attempts to execute each whitespace-delimited token as an executable in order - C:\Program.exe, C:\Program Files\NetBT\e.exe, and so on - before reaching the intended binary. If an attacker can write to any intermediate directory in this search chain, they can plant a malicious binary that Windows will execute under the service account's context (typically SYSTEM). e-Fatura is a Turkish electronic invoicing client produced by NetBT Consulting Services, and CPE data was not provided in the intelligence package to further narrow affected SKUs or installation profiles.

Affected ProductsAI

NetBT Consulting Services Inc. e-Fatura at all versions prior to 1.2.15 on Windows hosts is affected; no CPE string was supplied in the intelligence package to disambiguate specific editions. Vendor and national CERT advisories are published at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0474 and https://www.usom.gov.tr/bildirim/tr-25-0474 (Turkish National Cyber Incident Response Center, USOM).

RemediationAI

Upgrade e-Fatura to version 1.2.15 or later, which the vendor advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0474 identifies as the first fixed release. As a compensating control until patching is possible, administrators can manually correct the affected service's ImagePath in the Windows registry under HKLM\SYSTEM\CurrentControlSet\Services\<service-name> by wrapping the executable path in double quotes (note: this must be re-applied after any reinstall or update that rewrites the service). Additionally, audit and remove write permissions for non-administrative users on C:\, C:\Program Files, and any intermediate directories in the unquoted path (trade-off: may break installers or applications that legitimately write to those locations); enabling AppLocker or WDAC rules restricting execution of unsigned binaries from these directories adds defense in depth at the cost of allowlist maintenance overhead.

CVE-2025-14018 vulnerability details – vuln.today

Back