By rssfeeds-admin The vulnerability, assigned CVE-2025-5333, carries a maximum CVSS v4.0 score of 9.5 and impacts versions 8.6.x, 8.7.x, and 8.8 of the widely-deployed endpoint management platform.
Technical Details Reveal Legacy .NET Remoting Exploitation
The vulnerability stems from an exposed legacy .NET Remoting endpoint located at tcp://<host>:4011/IRM/HostedService Within the Altiris Inventory Rule Management (IRM) component.
When accessible over the network, this endpoint enables arbitrary code execution by unauthenticated attackers through insecure deserialization of .NET objects.
LRQA researchers discovered that the application utilizes BinaryServerFormatterSinkProvider with TypeFilterLevel set to Full – a configuration known to be unsafe as it enables unrestricted object deserialization.
This configuration allows attackers to send malicious .NET objects to the server, which are automatically deserialized and executed, leading to complete system compromise.
The CVSS vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H indicates network-based attacks with high complexity but no authentication requirements, resulting in complete confidentiality, integrity, and availability impact.
Discovery Through Red Team Assessment
The vulnerability was identified during a Red Team engagement when researchers gained initial access to a hardened workstation.
Using PowerShell reconnaissance commands, they discovered port 4011 bound to 0.0.0.0, indicating global network accessibility:
powershellGet-NetTCPConnection |
Where-Object { $_.State -eq 'Listen' } |
ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[PSCustomObject]@{
LocalAddress = $_.LocalAddress
LocalPort = $_.LocalPort
OwningProcess = $_.OwningProcess
ProcessName = if ($proc) { $proc.ProcessName } else { 'N/A' }
}
}
Further analysis using DnSpy, a .NET debugger and assembly editor, revealed the presence of RemotingConfiguration.RegisterWellKnownServiceType, confirming legacy .NET Remoting usage.
Coordinated Response and Mitigation Measures
Researchers validated the vulnerability using James Forshaw’s ExploitRemotingService tool with the command: ExploitRemotingService.exe --uselease tcp://<target>:4011/IRM/HostedService ls C:Successfully executing remote commands and retrieving directory contents.
Following coordinated disclosure protocols, Broadcom’s PSIRT team promptly confirmed the issue and released advisory SVM24-006 in June 2025.
The primary mitigation involves ensuring port 4011 is closed via firewall configuration on the Notification Server.
Additionally, administrators can disable the vulnerable service by adding a core setting with the name IRM_HostedServiceUrl and leaving the value empty.
Broadcom has committed to limiting .NET Remoting usage to localhost-only connections in upcoming product releases, effectively preventing remote exploitation while maintaining necessary functionality for legitimate administrative tasks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
The post CISA Alerts on Active Exploitation of Wing FTP Server Vulnerability appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.