Dec 10, 2025Ravie LakshmananEnterprise Safety / Net Companies
New analysis has uncovered exploitation primitives within the .NET Framework that might be leveraged towards enterprise-grade functions to attain distant code execution.
WatchTowr Labs, which has codenamed the “invalid solid vulnerability” SOAPwn, mentioned the difficulty impacts Barracuda Service Heart RMM, Ivanti Endpoint Supervisor (EPM), and Umbraco 8. However the variety of affected distributors is prone to be longer given the widespread use of .NET.
The findings had been offered right now by watchTowr safety researcher Piotr Bazydlo on the Black Hat Europe safety convention, which is being held in London.
SOAPwn basically permits attackers to abuse Net Companies Description Language (WSDL) imports and HTTP consumer proxies to execute arbitrary code in merchandise constructed on the foundations of .NET resulting from errors in the way in which they deal with Easy Object Entry Protocol (SOAP) messages.
“It’s often abusable by way of SOAP shoppers, particularly if they’re dynamically created from the attacker-controlled WSDL,” Bazydlo mentioned.
Because of this, .NET Framework HTTP consumer proxies will be manipulated into utilizing file system handlers and obtain arbitrary file write by passing as URL one thing like “file://” right into a SOAP consumer proxy, in the end resulting in code execution. To make issues worse, it may be used to overwrite current recordsdata for the reason that attacker controls the complete write path.
In a hypothetical assault situation, a risk actor might leverage this habits to provide a Common Naming Conference (UNC) path (e.g., “file://attacker.server/poc/poc”) and trigger the SOAP request to be written to an SMB share beneath their management. This, in flip, can enable an attacker to seize the NTLM problem and crack it.
That is not all. The analysis additionally discovered {that a} extra highly effective exploitation vector will be weaponized in functions that generate HTTP consumer proxies from WSDL recordsdata utilizing the ServiceDescriptionImporter class by profiting from the truth that it doesn’t validate the URL utilized by the generated HTTP consumer proxy.
On this approach, an attacker can present a URL that factors to a WSDL file they management to susceptible functions, and procure distant code execution by dropping a totally purposeful ASPX internet shell or further payloads like CSHTML internet shells or PowerShell scripts.
Following accountable disclosure in March 2024 and July 2025, Microsoft has opted to not repair the vulnerability, stating the difficulty stems from both an software situation or habits, and that “customers mustn’t devour untrusted enter that may generate and run code.”
The findings illustrate how anticipated habits in a well-liked framework can grow to be a possible exploit path that results in NTLM relaying or arbitrary file writes. The problem has since been addressed in Barracuda Service Heart RMM model 2025.1.1 (CVE-2025-34392, CVSS rating: 9.8) and Ivanti EPM model 2024 SU4 SR1 (CVE-2025-13659, CVSS rating: 8.8).
“It’s doable to make SOAP proxies write SOAP requests into recordsdata moderately than sending them over HTTP,” Bazydlo mentioned. “In lots of circumstances, this results in distant code execution by way of webshell uploads or PowerShell script uploads. The precise impression is determined by the appliance utilizing the proxy courses.”
