New “SOAPwn” .NET Flaws Expose Barracuda, Ivanti, and Microsoft Devices to RCE

Security researchers have disclosed a new class of vulnerabilities, collectively named “SOAPwn,” that affects the .NET Framework and exposes enterprise appliances from major vendors like Barracuda, Ivanti, and Microsoft to Remote Code Execution (RCE) attacks.

The findings, presented by researcher Piotr Bazydlo at Black Hat Europe 2025, highlight a fundamental design flaw in the framework’s HTTP client proxies that handles URLs, a flaw Microsoft has reportedly declined to fix.

The core of the SOAPwn vulnerability lies within the SoapHttpClientProtocol class in the .NET Framework.

Researchers discovered that this class, intended to handle SOAP requests over HTTP, can be manipulated to access the local filesystem.

By supplying a URL with a file:// scheme instead of http://, an attacker can trick the proxy into writing the SOAP request body directly to a specified file path.

This creates multiple attack vectors, including NTLM relay and, more critically, arbitrary file writes that can lead to RCE via a webshell upload.

Exploitation via WSDL Imports and Vendor Response

The research demonstrates that the most potent exploitation method involves the .NET Framework’s ServiceDescriptionImporter class, which generates client proxy classes from WSDL (Web Services Description Language) files.

Attackers can host a malicious WSDL file and trick an application into generating a proxy that points to a local file path.

This technique grants significant control over the content written to the file, enabling the upload of ASPX or CSHTML webshells.

This vector proved successful against Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and even Microsoft’s own PowerShell and SQL Server Integration Services.

Despite the widespread implications and successful demonstrations of RCE, Microsoft has reportedly classified the issue as a “feature, not a bug,” stating it does not meet the bar for immediate servicing.

The company has pushed the responsibility onto developers to validate all inputs, a stance that has drawn criticism, given the unexpected behavior of a component named “HttpClientProtocol.” Other affected vendors have released patches.

CVE ID	Affected Product	Vulnerability Type	Status
CVE-2025-34392	Barracuda Service Center RMM	Pre-Authentication RCE	Patched in hotfix 2025.1.1
CVE-2025-13659	Ivanti Endpoint Manager (EPM)	Post-Authentication RCE	Patched

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Update

The post New “SOAPwn” .NET Flaws Expose Barracuda, Ivanti, and Microsoft Devices to RCE appeared first on Cyber Security News.