Critical .NET Framework Vulnerability Exposes Applications to Remote Code Execution
Recent research has identified a significant vulnerability within the .NET Framework, termed SOAPwn, which poses a substantial risk to enterprise applications by enabling remote code execution. This flaw, discovered by WatchTowr Labs, affects widely-used platforms such as Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8, with the potential to impact numerous other vendors due to the extensive adoption of .NET.
The vulnerability was detailed by security researcher Piotr Bazydlo at the Black Hat Europe security conference in London. SOAPwn exploits the handling of Web Services Description Language (WSDL) imports and HTTP client proxies within the .NET Framework, allowing attackers to execute arbitrary code by manipulating Simple Object Access Protocol (SOAP) messages.
Bazydlo explained that the flaw is particularly exploitable through SOAP clients, especially those dynamically created from attacker-controlled WSDL files. By crafting malicious WSDL inputs, attackers can manipulate .NET’s HTTP client proxies to utilize file system handlers, leading to arbitrary file writes and potential code execution. This manipulation can also overwrite existing files, as the attacker controls the full write path.
In a hypothetical attack scenario, a threat actor could supply a Universal Naming Convention (UNC) path, such as file://attacker.server/poc/poc, causing the SOAP request to be written to an SMB share under their control. This method allows the attacker to capture the NTLM challenge and potentially crack it, further compromising the system.
The research also uncovered a more potent exploitation vector in applications that generate HTTP client proxies from WSDL files using the ServiceDescriptionImporter class. This class does not validate the URL used by the generated HTTP client proxy, enabling attackers to provide a URL pointing to a WSDL file they control. Consequently, they can achieve remote code execution by deploying fully functional ASPX web shells or additional payloads like CSHTML web shells or PowerShell scripts.
Following responsible disclosure in March 2024 and July 2025, Microsoft has opted not to address the vulnerability, stating that the issue arises from application behavior and advising users to avoid consuming untrusted input that can generate and run code.
The findings highlight how expected behavior in a widely-used framework can become an exploit path leading to NTLM relaying or arbitrary file writes. The issue has been addressed in Barracuda Service Center RMM version 2025.1.1 (CVE-2025-34392, CVSS score: 9.8) and Ivanti EPM version 2024 SU4 SR1 (CVE-2025-13659, CVSS score: 8.8).
Bazydlo emphasized that SOAP proxies can be manipulated to write SOAP requests into files rather than sending them over HTTP. In many cases, this leads to remote code execution through web shell uploads or PowerShell script uploads, with the exact impact depending on the application using the proxy classes.
