Ethical Hacking News
A .NET security flaw has left many enterprise-grade applications vulnerable to remote code execution attacks, despite Microsoft's refusal to fix the bug. This raises questions about user responsibility in handling untrusted inputs and Microsoft's approach to vulnerability reporting.
A critical vulnerability in Microsoft's .NET framework has been revealed, leaving many enterprise-grade applications vulnerable to remote code execution (RCE) attacks. The bug resides within the SoapHttpClientProtocol class and can be exploited by attackers to write arbitrary files and execute malicious payloads. The vulnerability arises from the way Microsoft's .NET framework handles Simple Object Access Protocol (SOAP) messages over HTTP, allowing an attacker to manipulate the target URL to write SOAP requests directly into local files. Microsoft initially refused to fix the bug, citing that developers should validate user inputs instead of addressing the issue itself. The vulnerability has been exploited in several products, including Barracuda Service Center and Umbraco 8 CMS, with more potentially affected products anticipated. The incident highlights the need for greater awareness among developers and users when handling untrusted inputs and raises questions about Microsoft's approach to vulnerability reporting and response.
In a recent revelation at Black Hat Europe, security researcher Piotr Bazydło unveiled a critical vulnerability in Microsoft's .NET framework that has left many enterprise-grade applications vulnerable to remote code execution (RCE) attacks. The bug, which resides within the SoapHttpClientProtocol class, can be exploited by attackers to write arbitrary files and execute malicious payloads, making it a high-risk security flaw.
According to Bazydło, the vulnerability arises from the way Microsoft's .NET framework handles Simple Object Access Protocol (SOAP) messages over HTTP. The SoapHttpClientProtocol class is designed to handle SOAP requests, but its generic creation method supports multiple protocols, including FTP and FILE. This allows an attacker to manipulate the target URL to write SOAP requests directly into local files.
"Its name and the official documentation both paint a simple picture: it should handle SOAP messages transported over HTTP. Straightforward. Predictable. Safe. Reality is less cooperative," Bazydło explained in his blog post shared with The Register before publication. "Wait, what? Why should a SOAP proxy be able to 'send' SOAP requests to a local file? Nobody on this planet expects to receive a valid SOAP response from the filesystem."
Microsoft was initially notified about the bug through the Zero Day Initiative (ZDI) in December 2024, with Bazydło presenting his findings at Black Hat Europe. However, despite repeated reports and attempts to inform Microsoft of the issue, the company reportedly refused to fix the bug, citing that developers should validate user inputs.
"Predictably, Microsoft treated the behavior as a feature rather than a vulnerability," Bazydło said. "The response blamed developers and users. According to Microsoft, the URL passed to SoapHttpClientProtocol should never be user-controlled, and it was the developer's responsibility to validate inputs."
A year after initial notification, watchTowr started investigating Barracuda Service Center, a widely deployed Remote Monitoring (RMM) platform, which turned out to be one of the enterprise-grade products vulnerable to .NET exploits. The researchers discovered that its SOAP API method could be accessed without authentication, allowing attackers to exploit the vulnerability through importing Web Services Description Language (WSDL) files.
"We found two ways to achieve remote code execution using this method: through uploading ASPX webshells; or dropping payloads (CSHTML webshells or PowerShell scripts) via the namespace of a SOAP request's body," Bazydło explained. "He said that there are likely more ways to exploit the vulnerability, but the namespace technique was sufficient to exploit Ivanti Endpoint Manager and Umbraco 8 CMS."
While the list of affected products is thought to be higher than mentioned in the watchTowr report, Bazydło acknowledged that the widespread use of .NET makes it challenging to pinpoint every vulnerable product. However, he emphasized that this vulnerability should be taken seriously.
"Given the wide usage of .NET, and the limitations of hours in a day, the list of affected products should be considered anecdotal," Bazydło said. "There are most definitely numerous affected vendor and in-house solutions affected, but bluntly, we believe we've made our point with the above list."
The incident highlights the need for greater awareness among developers and users when handling untrusted inputs. Microsoft's stance on this issue raises questions about the company's approach to vulnerability reporting and response.
"So first we blame the application. If that is not an option, because it would require fixing Microsoft's own code, we blame the user," Bazydło said. "The neanderthal user should have manually verified the WSDL file and realized that it could write SOAP requests to files instead of sending them over HTTP. Sigh."
Related Information:
https://www.ethicalhackingnews.com/articles/A-NET-Security-Flaw-A-Recipe-for-Remote-Code-Execution-and-a-Lesson-in-User-Vulnerability-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/12/10/microsoft_wont_fix_net_rce/
https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2025-patch-tuesday-fixes-1-zero-day-63-flaws/
https://windowsforum.com/threads/critical-cve-2025-21171-understanding-the-new-net-rce-vulnerability.349465/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://www.reddit.com/r/Scams/comments/15g47df/concerning_email_about_a_apt_hacker_group/
Published: Wed Dec 10 11:43:02 2025 by llama3.2 3B Q4_K_M
