Executive Summary
Two vulnerabilities have been identified in RapidFire Tools Network Detective, a system assessment and reporting tool developed by Kaseya (RapidFire Tools). These issues significantly compromise the confidentiality and integrity of credentials gathered and processed during routine network scans, exposing sensitive data to both local attackers and potentially malicious insiders.
Vulnerability 1: Passwords in Cleartext
During its normal operation, Network Detective saves usernames and passwords in plain, readable text across several temporary files. These files are stored locally on the device and are not protected or hidden. In many cases, the credentials collected include privileged or administrative accounts, such as those used for VMware.
An attacker who gains access to the machine running the scan—whether physically, remotely, or through malware—can easily retrieve these passwords without needing to decrypt anything. This presents a serious risk to client infrastructure, especially when those credentials are reused or provide broad system access.
Vulnerability 2: Reversible Encryption
RapidFire Tools Network Detective uses a flawed method to encrypt passwords and other sensitive data during network scans. The encryption process is based on static, built-in values, which means it produces the same result every time for the same input. This makes it possible for anyone with access to the tool or encrypted data to easily reverse the encryption and retrieve original passwords.
This weakness puts client environments at risk, especially since the encrypted data often includes administrative credentials. The encryption does not follow modern security standards, and attackers do not need special tools or expertise to break it—only access to the files or application.
Analysis and Background
Network Detective, a product developed by RapidFire Tools (a Kaseya company), is designed to scan networks for vulnerabilities, misconfigurations, and compliance issues. It is used by managed service providers (MSPs), IT consultants, and internal IT departments to assess network health and generate reports. While commonly deployed as a standalone binary for one-off scans—often during sales or onboarding—Network Detective also supports scheduled, recurring scans in installed environments.
The application is typically configured via a step-by-step wizard, prompting users to define targets (e.g., IP ranges), scan types (e.g., HIPAA, PCI), and credentials for services such as Active Directory or VMware. This configuration is stored locally and reused for automated scans. Notably, the same binaries are used for both ad hoc and scheduled executions, meaning any vulnerabilities affect both deployment models equally.
Due to its ease of use and deep network visibility, the tool is often run with elevated privileges across production systems. Users implicitly trust the application to securely handle credentials and sensitive data. However, the issues discovered occur under default conditions, without requiring misuse or advanced manipulation—highlighting a significant risk for environments relying on the tool for security posture validation.
Finding 1: Cleartext Credentials Stored in RapidFire Tools Network Detective Unencrypted Log Files
CVE-2025-32353
CVSS 3.1 Score: 8.2
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
RapidFire Tools Network Detective stores user-supplied credentials in cleartext across multiple temporary files generated during scanning and data collection activities. These credentials, which may include VMware usernames and passwords (often with administrative access), are written directly into plaintext files without obfuscation, access controls, or encryption.
Vulnerability Types
- CWE-312: Cleartext Storage of Sensitive Information
- CWE-922: Insecure Storage of Sensitive Information
- CWE-532: Insertion of Sensitive Information into Log File
Affected Files
- collection.txt
- ndfRun.log
- run.ndp
- ndscan-########.ndf (ZIP archive that contains backups of the files listed above)
These files are stored in the following default path:
%programfiles%\NetworkDetective\DataCollector\bin\tmp\ndc
The vulnerability occurs silently during normal tool operation. There is no warning or documentation from Kaseya advising users not to enter administrative credentials, and no indication that these values are stored insecurely.
Screenshot 1.1 – collection.txt showing cleartext password
An attacker with access to the host running Network Detective can retrieve cleartext administrative credentials from the local file system. This enables lateral movement, privilege escalation, and further compromise of the scanned infrastructure. In many cases, credentials may belong to sensitive environments such as VMware ESXi, exposing core infrastructure.
Screenshot 1.2 – Kaseya Help Article via https://helpdesk.kaseya.com/
Recommendations made to Kaseya
- Eliminate plaintext password storage in all text, configuration, and log files
- Obscure or securely hash any password data that must be included in logs or reports
- Implement controls to prevent password artifacts from being written to any file system
Finding 2: Predictable Encryption Routine in RapidFire Tools Network Detective Enables Reversible Password Exposure
CVE-2025-32874
CVSS 3.1 Score: 7.5
AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
A cryptographic implementation flaw exists in RapidFire Tools Network Detective, where password encryption is performed using a deterministic, static approach. The application includes multiple methods that derive encryption keys and IVs from hardcoded values and static salts, producing predictable and reversible ciphertext.
These flawed routines fall into two groups: one set labeled as FIPS-compliant and another as non-FIPS. Regardless of the classification, both use fixed derivation schemes that result in the same encrypted output for identical plaintext inputs, allowing for trivial decryption.
As a result, any password or sensitive value encrypted using these routines is vulnerable to reversal, even without access to the original plaintext, due to the absence of proper randomness, key separation, or encryption authentication.
Vulnerability Types
- CWE-329: Not Using a Random IV with CBC Mode
- CWE-326: Inadequate Encryption Strength
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- CWE-1240: Use of a Risky Cryptographic Primitive
Affected Files
- RemoteDataCollectorSetup.exe
Screenshot 2.1 – Encryption Key within binary
Screenshot 2.2 – Encrypt function, including static salt, non-FIPS
Screenshot 2.3 - Encrypt function, including static salt, FIPS
Note both FIPS and non-FIP functions are identical, and the FIPS challenge is also stored in the same binary:
Screenshot 2.4 – FIPS key
Additionally, since all information required to decrypt passwords in logfiles is present on the system (see Finding 1), attackers can easily obtain credentials stored in log files.
Screenshot 2.5 – Decrypting passwords stored in collection.txt
Also of note is the salt value, which is “Ivan Medvedev” commonly found in malicious and non-malicious encryption/decryption salt functions. This salt function can be seen either as ASCII, or converted to bytes, including here: https://stackoverflow.com/questions/10168240/encrypting-decrypting-a-string-in-c-sharp/27484425#27484425
Recommendations made to Kaseya
- Replace deterministic key/IV derivation with secure, random values per operation
- Adopt authenticated encryption modes (e.g., AES-GCM)
- Eliminate static key material from the binary
- Ensure proper separation of cryptographic roles between key derivation and encryption logic
Recommendations for RapidFire Tools Network Detective Customers
Kaseya has updated the RapidFire Tools binary based on our research.
- Immediately update all instances of RapidFire Tools
- Verify no files exist in the following directory: %programfiles%\NetworkDetective\DataCollector\bin\tmp\ndc
- Rotate all previously used credentials used for scanning
Contact information
Prepared by:
Galactic Advisors
340 Harrison St
Nashville, TN 37219
(615) 928-2323
About Galactic Advisors
Galactic Advisors is a cybersecurity firm dedicated to reducing liability for MSPs through security research, proactive assessments, and incident response.
https://galacticadvisors.com
press@GalacticAdvisors.com
Researchers
Principal Security Advisor – Security Research Team
Cody Kretsinger
Cody.Kretsinger@GalacticAdvisors.com
