.NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL

.NET SOAPwn Flaw Enables File Writes and Remote Code Execution

Research from watchTowr Labs details the “SOAPwn” vulnerability – an invalid cast flaw in the .NET Framework – allowing attackers to achieve remote code execution (RCE) in applications like Barracuda Service Center RMM and Ivanti Endpoint Manager (EPM). The issue stems from how .NET handles Simple Object Access Protocol (SOAP) messages and is triggered by attacker-supplied Web Services Description Language (WSDL) files.

Why This Matters

Ideal software models assume trusted input, but real-world applications frequently process data from untrusted sources. The SOAPwn flaw demonstrates how a design weakness in a widely used framework like .NET can be exploited to bypass security measures, potentially leading to significant data breaches and system compromise, with CVSS scores reaching 9.8 for affected products. Microsoft has declined to directly fix the issue, citing application-level misconfigurations.

Key Insights

• SOAPwn discovery: watchTowr Labs, Black Hat Europe 2025
• WSDL manipulation: Attackers can leverage WSDL imports to execute arbitrary code via HTTP client proxies.
• NTLM relaying: Exploitation can involve writing SOAP requests to SMB shares, enabling NTLM challenge capture and cracking.

Working Example

(No code exists in the context to include)

Practical Applications

• Use Case: Barracuda Service Center RMM and Ivanti EPM are vulnerable, allowing attackers to upload webshells or execute PowerShell scripts.
• Pitfall: Dynamically creating HTTP client proxies from untrusted WSDL files without validation introduces a critical security risk.

References:

• https://thehackernews.com/2025/12/net-soapwn-flaw-opens-door-for-file.html