- A critical vulnerability named SOAPwn affects the .NET Framework, enabling remote code execution in enterprise applications.
- The flaw abuses Web Services Description Language (WSDL) imports and HTTP client proxies to manipulate Simple Object Access Protocol (SOAP) message handling.
- Exploitable products include Barracuda Service Center RMM and Ivanti Endpoint Manager, with patches released to address the issue.
- Microsoft did not issue a fix, citing the problem as application-side behavior requiring user caution when handling untrusted input.
New research revealed security weaknesses in the .NET Framework that allow attackers to execute code remotely by exploiting mishandling of Simple Object Access Protocol (SOAP) messages. The findings were disclosed publicly on December 10, 2025, during a presentation at the Black Hat Europe security conference in London.
The vulnerability, tracked as SOAPwn, targets how Web Services Description Language (WSDL) files and HTTP client proxies interact in .NET-based applications. Attackers can supply malicious WSDL files that dynamically generate SOAP clients, exploiting these to write arbitrary files or deploy web shells. This enables remote code execution on affected systems.
Products impacted by this flaw include Barracuda Service Center RMM and Ivanti Endpoint Manager (EPM). Researchers also noted the broad usage of .NET means many other vendors might be at risk. Full details were presented by security researcher Piotr Bazydlo, who explained the issue arises from the unsafe handling of URLs passed as parameters to HTTP client proxies, such as those beginning with “file://” or containing Universal Naming Convention (UNC) paths.
These manipulated URLs can cause the vulnerable SOAP clients to write SOAP requests directly to attacker-controlled file shares, potentially capturing network authentication challenges or overwriting critical files. More advanced exploitation uses the ServiceDescriptionImporter class, which does not validate URLs used to generate client proxies. This can allow attackers to drop fully functional web shells or PowerShell scripts remotely.
Since the vulnerability stems from how applications consume untrusted input rather than a defect purely in the framework, Microsoft declined to patch it after responsible disclosure in March 2024 and July 2025. The company advised users to avoid loading untrusted WSDL files or generating proxies that run code from unverified sources.
Remediations have been offered by affected vendors. Barracuda Service Center RMM addressed the flaw in version 2025.1.1 (CVE-2025-34392, CVSS score 9.8), while Ivanti EPM released a fix in version 2024 SU4 SR1 (CVE-2025-13659, CVSS score 8.8). The vulnerability illustrates how expected framework behavior might lead to critical security risks such as arbitrary code execution and NTLM challenge capture.
“It is possible to make SOAP proxies write SOAP requests into files rather than sending them over HTTP,” Bazydlo stated. “In many cases, this leads to remote code execution through webshell uploads or PowerShell script uploads. The exact impact depends on the application using the proxy classes.”
More technical details are available via the WatchTowr Labs report, and the Black Hat Europe presentation.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Fed Cuts Interest Rates by 25bps, Lowest Level Since Years
- Blue Origin, SpaceX Race to Build AI Data Centers in Orbit
- Silver Surges as Retail Investors Spark Parabolic Rally to $100
- Stellar (XLM) Gains 0.85%, Volume Surges Amidst Consolidation
- Nvidia Denies Claims of Blackwell Chip Smuggling to China
