NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Schedule a Demo
Just in Time

Just in Time Bulletin: SOAPwn: A Deep Dive into CVE-2025-34392 and Its Impact on .NET Applications

Dec 15, 2025

CVE-2025-34392, also known as “SOAPwn,” is a critical vulnerability discovered by Piotr Bazydlo (@chudyPB) of watchTowr Labs in December 2025. This vulnerability exploits fundamental flaws in how the .NET Framework handles HTTP client proxies and Web Services Description Language (WSDL) imports, leading to potential remote code execution in vulnerable applications.

Key aspects of the vulnerability:

  • Attack Mechanism: SOAPwn leverages an “invalid cast vulnerability” within the .NET Framework’s HttpWebClientProtocol class and its descendants (like SoapHttpClientProtocol). Normally, these classes are designed to handle SOAP messages over HTTP. However, due to a missing cast in the GetWebRequest method, the framework can be tricked into using other protocol handlers, such as FileWebRequest. When an attacker can control the URL passed to these proxies, they can direct them to write SOAP requests to arbitrary file paths, including network shares or local files. This can lead to arbitrary file writes, NTLM relaying, or, most critically, remote code execution through the upload of malicious webshells.
  • Exploitation via WSDL Imports: The vulnerability becomes particularly potent when applications dynamically generate SOAP client proxies from attacker-controlled WSDL files. The ServiceDescriptionImporter class, used for this purpose, does not validate the URLs within the WSDL. This allows an attacker to craft a malicious WSDL that directs the generated proxy to use a file:// URI. When the application then uses this generated proxy and attempts to execute a SOAP method, the SOAP request body is written to the attacker-specified file path, effectively achieving arbitrary file write and potentially remote code execution.
  • Impact: Successful exploitation of CVE-2025-34392 can lead to significant impacts, ranging from information disclosure through NTLM relaying to complete system compromise via remote code execution. This can be achieved by dropping webshells (e.g., ASPX or CSHTML) or executing malicious PowerShell scripts.

Mitigation:

Microsoft has not released a specific patch for CVE-2025-34392 as they consider the root cause to be an application-level issue rather than a flaw in the .NET Framework itself. Their stance is that developers should not consume untrusted input that can generate and run code.

Therefore, mitigation relies on the following:

  • Secure Coding Practices: Developers must ensure that any user-supplied input used to construct URLs for SOAP client proxies is rigorously validated to only allow trusted protocols (e.g., HTTP/HTTPS) and destinations.
  • Application-Level Updates: Vendors of affected applications are responsible for implementing these validations. For example, Barracuda released a hotfix (2025.1.1) for Barracuda Service Center RMM to address this issue.

How bad is this?

According to VulnCheck and other sources, CVE-2025-34392 has a CVSS v4.0 Base Score of 10.0 (CRITICAL), with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. This indicates a very high severity, allowing for network-based attacks with low complexity and no privileges or user interaction required to achieve high impact across all security requirements (confidentiality, integrity, and availability).

Factor Rating
Severity Critical
Domain Access Not required
Exploitation Trivial to achieve remote code execution, especially when WSDL imports are involved

Who is affected by this?

While the .NET Framework itself is the underlying component, the practical impact is on applications that utilize its HTTP client proxies in conjunction with WSDL imports from untrusted sources. Notably affected products include:

  • Barracuda Service Center RMM: Versions prior to 2025.1.1. (CVE-2025-34392)
  • Ivanti Endpoint Manager (EPM): Patched. (CVE-2025-13659)
  • Umbraco 8 CMS: Reached End of Life (EoL) in February 2025, so may remain vulnerable.
  • Microsoft PowerShell: Identified as vulnerable, with Microsoft stating it’s an application issue.
  • Microsoft SQL Server Integration Services (SSIS): Identified as vulnerable.

The list is considered anecdotal, as many other .NET applications could be affected.

How is it exploited?

An attacker can exploit this vulnerability by:

  1. Controlling WSDL: If an application allows importing WSDL files from an attacker-controlled source, the attacker can craft a malicious WSDL.
  2. Directing File Writes: This WSDL can contain a file:// URI that points to a location where the attacker wants to write data.
  3. Dropping Payloads: The application, when processing the WSDL and generating a SOAP proxy, will then use this file:// URI. When a SOAP method is invoked, the SOAP request body, containing a webshell or other malicious code, is written to the specified file path, leading to remote code execution.
  4. NTLM Relaying: An attacker can also point the proxy to a UNC path on an SMB share they control, capturing NTLM authentication hashes.

How do I protect myself?

As Microsoft has not provided a framework-level patch, protection relies on:

  • Application Vendor Patches: Ensure all relevant software, especially RMM and management tools that handle WSDL imports, are updated to the latest versions.
  • Input Validation: For custom .NET applications, implement strict validation of URLs used in SOAP client proxies to prevent the use of unauthorized protocols like file:// or UNC paths.
  • Network Segmentation and Monitoring: Limit the ability of vulnerable systems to reach arbitrary network locations and monitor for suspicious file write or network connection attempts.
  • Principle of Least Privilege: Ensure that applications and user accounts run with the minimum necessary privileges.

Mitigating factors?

The primary mitigating factor is rigorous input validation within applications that consume WSDLs or use SOAP client proxies with potentially untrusted URLs. By ensuring that only legitimate HTTP/HTTPS endpoints are accepted, the core attack vector of the “invalid cast vulnerability” is neutralized.

Additional Resources:

Resources
Read more from NopSec's cyber threat exposure management and cybersecurity experts.
Read All