Ethical Hacking News
Microsoft's refusal to fix a .NET vulnerability has sparked outrage among developers and security researchers. A potential RCE exploit could be used to arbitrarily write files or perform NTLM relay attacks. Despite repeated reports, Microsoft continues to blame developers for user error.
Microsoft refuses to fix a vulnerability in its .NET framework that can be exploited for remote code execution (RCE) attacks.The bug affects numerous enterprise-grade products and solutions built on the .NET framework.The vulnerability arises from the way SoapHttpClientProtocol creates clients, allowing attackers to manipulate target URLs and write files or execute code.Microsoft was initially informed of the issue a year ago but received a response stating that users should not accept untrusted input.Despite this, researchers found multiple enterprise-grade products vulnerable to the .NET exploits.Microsoft's response has been met with skepticism among developers, who argue that the issue lies with the design of the .NET framework rather than user error.
Microsoft has sparked a heated debate among developers and security researchers by refusing to fix a vulnerability in its .NET framework, which can be exploited for remote code execution (RCE) attacks. The bug, identified by principal vulnerability researcher at watchTowr, Piotr Bazydło, affects numerous enterprise-grade products and solutions built on the .NET framework.
According to Bazydło, the SoapHttpClientProtocol class in .NET is designed to handle SOAP messages transported over HTTP but has a generic creation method that supports multiple protocols. The vulnerability arises when an attacker can manipulate the target URL of the SOAP service and the way SoapHttpClientProtocol creates clients. If an attacker sets the target URL to a file system instead of an HTTP web address, the class will ignore the error and then write the SOAP request directly into the file.
This unintended behavior can be abused by attackers to arbitrarily write files, including the XML data in the SOAP request. Or, less impactfully, NTLM relay attacks. Bazydło reported the issue to Microsoft via the Zero Day Initiative (ZDI) a year ago but received a response stating that developers should not allow untrusted inputs.
Despite being told by Microsoft that it was not its fault that users were accepting untrusted input, researchers at watchTowr continued to investigate and found that multiple enterprise-grade products, including Barracuda Service Center and Umbraco 8 CMS, were vulnerable to the .NET exploits. The researcher also discovered two ways to achieve remote code execution using this method: through uploading ASPX webshells or dropping payloads (CSHTML webshells or PowerShell scripts) via the namespace of a SOAP request's body.
Bazydło expressed frustration with Microsoft's response, stating that "so first we blame the application. If that is not an option, because it would require fixing Microsoft's own code, we blame the user." He emphasized that the issue was not with the developers but with the design of the .NET framework itself.
The watchTowr team reported their findings to Microsoft in July but received a similar response as they had through ZDI. Ivanti contacted The Register to confirm that its issues were patched on December 9.
Microsoft has since doubled down on its stance, emphasizing that users should avoid consuming untrusted input that could generate and execute code. However, this response has been met with skepticism among developers, who argue that the issue lies with the design of the .NET framework rather than user error.
In a related development, Salesforce opted for seat-based AI licensing as customers demand predictability, while Home Office staff still lean on a 25-year-old asylum case management system. Meanwhile, Half of exposed React servers remain unpatched amid active exploitation, and sales of BOFH's books have surged during the pandemic era.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsofts-Refusal-to-Address-NET-RCE-Vulnerability-Sparks-Outrage-Among-Developers-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/12/10/microsoft_wont_fix_net_rce/
Published: Fri Dec 12 10:53:55 2025 by llama3.2 3B Q4_K_M
