By rssfeeds-admin .webp?ssl=1 "New “SOAPwn” .NET Vulnerabilities Expose Barracuda, Ivanti and Microsoft Appliances to RCE Attack")
Including Barracuda Service Center RMM, Ivanti Endpoint Manager, Umbraco CMS 8, Microsoft PowerShell, and SQL Server Integration Services.
Understanding the SOAPwn Vulnerability Class
Presented by Piotr Bazydlo at Black Hat Europe 2025, SOAPwn centers on how. NET’s SOAP HTTP client proxies handle URLs.
The affected proxy classes (SoapHttpClientProtocol, DiscoveryClientProtocol, and HttpSimpleClientProtocol) inherit from HttpWebClientProtocol.
Which internally uses WebRequest.Create(uri) without enforcing HTTP-only schemes. If an attacker can influence the URL property (directly or via WSDL imports),
The proxy may transparently switch from HTTP to file:// or UNC paths, turning a network SOAP call into a local or remote file write.
This design quirk enables several attack primitives. At the low end, attackers can relay NTLM by directing SOAP traffic to SMB shares.
| Product | CVE ID | Vulnerability Type | Attack Vector |
|---|---|---|---|
| Barracuda Service Center RMM | CVE-2025-34392 | Pre-authenticated RCE | Malicious WSDL import |
| Ivanti Endpoint Manager (EPM) | CVE-2025-13659 | WSDL-based RCE | Namespace payload injection |
| Umbraco 8 CMS | Not assigned | Post-authentication RCE | Web service data source manipulation |
| Microsoft PowerShell | Not assigned | WSDL consumption RCE | WSDL parsing |
| Microsoft SQL Server Integration Services | Not assigned | WSDL consumption RCE | WSDL parsing |
More critically, when combined with attacker-controlled WSDL and SOAP arguments, the same behavior becomes an arbitrary-file-write primitive.
In real-world appliances, researchers used this to inject ASPX or CSHTML webshells or malicious PowerShell scripts into web-accessible paths, resulting in full RCE.
Affected Products and CVE Details
A light review of the standard. NET-based solutions have already surfaced multiple impacted products.
Barracuda Service Center RMM exposed a pre-authenticated SOAP method that dynamically imports WSDL.
Generates a proxy via ServiceDescriptionImporter, compiles it, and invokes attacker-chosen methods with attacker-supplied arguments.
A single crafted SOAP request was enough to write a webshell to disk, now tracked as CVE-2025-34392 and patched in hotfix 2025.1.1.
Ivanti Endpoint Manager was similarly exploitable via CSHTML payloads smuggled through namespaces in malicious WSDL files.
Umbraco 8 CMS allowed authenticated users with Forms permissions to define arbitrary web service data sources pointing to an attacker’s WSDL, again reaching the same vulnerable proxy path.
According to Watchtowr, Microsoft PowerShell and SSIS were also shown to be vulnerable when consuming untrusted WSDL.
Despite the issues arising from core .NET proxy behavior, Microsoft has repeatedly assigned these findings a “DONOTFIX” status at the framework level.
Characterizing them as application-layer problems and updating documentation instead of shipping code changes.
For defenders, the practical guidance is clear: identify and lock down any use of ServiceDescriptionImporter that processes attacker-controlled WSDL.
Audit all usages of SoapHttpClientProtocol, DiscoveryClientProtocol, HttpPostClientProtocol, and HttpGetClientProtocol where the URL property may be influenced by user input.
Given the age and ubiquity of the .NET Framework in enterprise environments, similar SOAP-style bugs are likely to surface in many more in-house and vendor solutions.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New “SOAPwn” .NET Vulnerabilities Expose Barracuda, Ivanti and Microsoft Appliances to RCE Attack appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.