Article Title:
SOAPwn Vulnerabilities in .NET Framework Expose Critical RCE Risks Across Enterprise Platforms
Recent research has unveiled a class of vulnerabilities termed SOAPwn within the legacy .NET Framework’s SOAP client code. These vulnerabilities pose significant remote code execution (RCE) risks across various enterprise products, including Barracuda Service Center RMM, Ivanti Endpoint Manager, Umbraco CMS 8, Microsoft PowerShell, and SQL Server Integration Services.
Understanding the SOAPwn Vulnerability Class
Presented by security researcher Piotr Bazydlo at Black Hat Europe 2025, the SOAPwn vulnerabilities stem from the way .NET’s SOAP HTTP client proxies handle URLs. The affected proxy classes—SoapHttpClientProtocol, DiscoveryClientProtocol, and HttpSimpleClientProtocol—inherit from HttpWebClientProtocol. This inheritance leads to the internal use of WebRequest.Create(uri) without enforcing HTTP-only schemes. Consequently, if an attacker can influence the URL property, either directly or through WSDL imports, the proxy may inadvertently switch from HTTP to file:// or UNC paths. This switch transforms a network SOAP call into a local or remote file write operation.
This design flaw enables several attack vectors. At a basic level, attackers can relay NTLM credentials by directing SOAP traffic to SMB shares. More critically, when combined with attacker-controlled WSDL and SOAP arguments, this behavior becomes an arbitrary-file-write primitive. In practical scenarios, researchers have exploited this to inject ASPX or CSHTML webshells or malicious PowerShell scripts into web-accessible paths, leading to full RCE.
Affected Products and CVE Details
A preliminary review of standard .NET-based solutions has identified multiple impacted products:
– Barracuda Service Center RMM: This product exposed a pre-authenticated SOAP method that dynamically imports WSDL, generates a proxy via ServiceDescriptionImporter, compiles it, and invokes attacker-chosen methods with supplied arguments. A single crafted SOAP request was sufficient to write a webshell to disk. This vulnerability is tracked as CVE-2025-34392 and has been patched in hotfix 2025.1.1.
– Ivanti Endpoint Manager (EPM): Similarly exploitable via CSHTML payloads smuggled through namespaces in malicious WSDL files. This vulnerability is identified as CVE-2025-13659.
– Umbraco 8 CMS: Allowed authenticated users with Forms permissions to define arbitrary web service data sources pointing to an attacker’s WSDL, leading to the same vulnerable proxy path.
– Microsoft PowerShell and SQL Server Integration Services (SSIS): Both were found vulnerable when consuming untrusted WSDL.
Mitigation and Recommendations
Despite these issues arising from core .NET proxy behavior, Microsoft has assigned these findings a DONOTFIX status at the framework level, characterizing them as application-layer problems and opting to update documentation instead of implementing code changes.
For defenders, the following practical guidance is recommended:
1. Identify and Secure ServiceDescriptionImporter Usage: Locate and restrict any use of ServiceDescriptionImporter that processes attacker-controlled WSDL.
2. Audit Proxy Class Usage: Review all instances of SoapHttpClientProtocol, DiscoveryClientProtocol, HttpPostClientProtocol, and HttpGetClientProtocol where the URL property may be influenced by user input.
Given the age and widespread use of the .NET Framework in enterprise environments, similar SOAP-style vulnerabilities are likely to surface in many more in-house and vendor solutions. Proactive auditing and securing of these components are essential to mitigate potential risks.
