Full Report
New research has uncovered exploitation primitives in the .NET Framework that could be leveraged against enterprise-grade applications to achieve remote code execution. WatchTowr Labs, which has codenamed the "invalid cast vulnerability" SOAPwn, said the issue impacts Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. But the number of affected vendors is likely to be
Analysis Summary
# Vulnerability: .NET SOAPwn (Invalid Cast Vulnerability) Leading to RCE
## CVE Details
- CVE ID: CVE-2025-34392 (Barracuda), CVE-2025-13659 (Ivanti)
- CVSS Score: 9.8 (Barracuda - Critical), 8.8 (Ivanti - High)
- CWE: Not explicitly stated, related to improper handling of input leading to code execution context.
## Affected Systems
- Products: Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), Umbraco 8, and other applications utilizing .NET HTTP client proxies generated from attacker-controlled WSDL/SOAP inputs.
- Versions:
- Barracuda Service Center RMM: Prior to 2025.1.1
- Ivanti EPM: Prior to 2024 SU4 SR1
- Umbraco 8: Specific version not listed, but confirmed affected.
- Configurations: Applications that dynamically create SOAP clients from external/untrusted WSDL files, leveraging `System.Web.Services.Description.ServiceDescriptionImporter`.
## Vulnerability Description
The vulnerability, codenamed "SOAPwn," stems from flaws in the .NET Framework's handling of Simple Object Access Protocol (SOAP) messages via HTTP client proxies generated from external Web Services Description Language (WSDL) definitions. An attacker can abuse the WSDL import mechanism because the generated HTTP client proxy does not adequately validate the URLs used for configuration.
This allows an attacker to manipulate the proxy into using file system handlers (e.g., "file://") instead of standard HTTP/S connections. By supplying crafted WSDL, attackers can achieve:
1. **Arbitrary File Write:** Directing SOAP requests (which the application attempts to process) to arbitrary file paths on the target system, including overwriting existing files.
2. **NTLM Relay/Credential Harvesting:** Writing requests to attacker-controlled SMB shares (using UNC paths like `file://attacker.server/poc/poc`) to capture NTLM challenges.
3. **Remote Code Execution (RCE):** By pointing the configuration to an attacker-controlled WSDL, the application can be tricked into dropping a payload (like an ASPX web shell or PowerShell script) onto the server, leading to RCE.
## Exploitation
- Status: PoC available (Presentation at Black Hat Europe provided demonstration).
- Complexity: Low (If application dynamically imports untrusted WSDL). The complexity for RCE relies on the ability to drop executable code based on whether the target app supports web shells (`ASPX`, `CSHTML`) or script execution (`PowerShell`).
- Attack Vector: Network (The request originates over the network, initiating the flawed SOAP deserialization/proxy creation process).
## Impact
- Confidentiality: High (Potential for credential theft via NTLM relay).
- Integrity: Critical (Arbitrary file overwrite, leading directly to RCE).
- Availability: High (RCE can lead to system compromise and denial of service).
## Remediation
### Patches
- **Barracuda Service Center RMM:** Version 2025.1.1 or later. (CVE-2025-34392)
- **Ivanti EPM:** Version 2024 SU4 SR1 or later. (CVE-2025-13659)
- **Microsoft .NET Framework:** Microsoft declined to issue a fix, stating the issue lies with the application consuming untrusted input, implying vendor-specific fixes are the primary route.
### Workarounds
- **Input Validation:** Implement stringent checks to ensure that input used to construct or retrieve WSDL definitions for client proxies originates only from trusted, internal, and verified sources.
- **Restrict Untrusted Input:** Applications should not accept WSDL locations or WSDL content from external, unauthenticated, or untrusted user input if that input is used to dynamically generate SOAP client proxies via classes like `ServiceDescriptionImporter`.
## Detection
- **Indicators of Compromise:** Monitor for outbound connections to attacker-controlled SMB shares immediately following SOAP requests, especially if NTLM authentication traffic is observed. Look for file write operations to non-standard locations or overwrites of executable files (`.aspx`, `.ps1`) when processing SOAP messages.
- **Detection Methods and Tools:** Inspect network traffic logs for unusual URI schemes (`file://`, `smb://`) being used in SOAP request headers or bodies intended for WSDL processing or HTTP client proxy initialization. Apply runtime application self-protection (RASP) to monitor unexpected file system access initiated by SOAP/WSDL processing threads.
## References
- Vendor Advisories: Barracuda advisory for CVE-2025-34392, Ivanti advisory for CVE-2025-13659.
- Research: WatchTowr Labs "SOAPwn" research presentation and related advisories.