The vulnerability, assigned CVE-2025-5333, carries a maximum CVSS v4.0 score of 9.5 and impacts versions 8.6.x, 8.7.x, and 8.8 of the widely-deployed endpoint management platform.
The vulnerability stems from an exposed legacy .NET Remoting endpoint located at tcp://<host>:4011/IRM/HostedService Within the Altiris Inventory Rule Management (IRM) component.
When accessible over the network, this endpoint enables arbitrary code execution by unauthenticated attackers through insecure deserialization of .NET objects.
LRQA researchers discovered that the application utilizes BinaryServerFormatterSinkProvider with TypeFilterLevel set to Full – a configuration known to be unsafe as it enables unrestricted object deserialization.
This configuration allows attackers to send malicious .NET objects to the server, which are automatically deserialized and executed, leading to complete system compromise.
The CVSS vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H indicates network-based attacks with high complexity but no authentication requirements, resulting in complete confidentiality, integrity, and availability impact.
The vulnerability was identified during a Red Team engagement when researchers gained initial access to a hardened workstation.
Using PowerShell reconnaissance commands, they discovered port 4011 bound to 0.0.0.0, indicating global network accessibility:
powershellGet-NetTCPConnection |
Where-Object { $_.State -eq 'Listen' } |
ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[PSCustomObject]@{
LocalAddress = $_.LocalAddress
LocalPort = $_.LocalPort
OwningProcess = $_.OwningProcess
ProcessName = if ($proc) { $proc.ProcessName } else { 'N/A' }
}
}
Further analysis using DnSpy, a .NET debugger and assembly editor, revealed the presence of RemotingConfiguration.RegisterWellKnownServiceType, confirming legacy .NET Remoting usage.
Researchers validated the vulnerability using James Forshaw’s ExploitRemotingService tool with the command: ExploitRemotingService.exe --uselease tcp://<target>:4011/IRM/HostedService ls C:Successfully executing remote commands and retrieving directory contents.
Following coordinated disclosure protocols, Broadcom’s PSIRT team promptly confirmed the issue and released advisory SVM24-006 in June 2025.
The primary mitigation involves ensuring port 4011 is closed via firewall configuration on the Notification Server.
Additionally, administrators can disable the vulnerable service by adding a core setting with the name IRM_HostedServiceUrl and leaving the value empty.
Broadcom has committed to limiting .NET Remoting usage to localhost-only connections in upcoming product releases, effectively preventing remote exploitation while maintaining necessary functionality for legitimate administrative tasks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
The post CISA Alerts on Active Exploitation of Wing FTP Server Vulnerability appeared first on Cyber Security News.
Here's a great deal on a power bank that stands out from the rest. As…
Forza Horizon 6 managed to slip in a sly reference to Pokémon. Xbox and Playground…
B&H is offering a great deal on a lightweight laptop with decent gaming chops. For…
Gaming laptops and PCs have gone up in price this year, but you know what…
SPEEDWAY, Ind. (WOWO) — The Indianapolis 500 paddock was rocked on Monday when Alexander Rossi‘s…
Corey Minor Smith of Canton, Ohio holds a “Black Voters Matter” sign while marching over…
This website uses cookies.