Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 14 December 2025 08:44
Security researchers have discovered a vulnerability in .NET that could affect several enterprise products and lead to remote code execution. The issue stems from the way Microsoft .NET-based applications handle SOAP messages , and Microsoft, according to researchers, is refusing to fix the issue , shifting the blame onto developers and users.
Piotr Bazydło of watchTowr reported the discovery at the Black Hat Europe conference. He said that several commercial and internal solutions are vulnerable to remote code execution (RCE) attacks due to errors in the handling of SOAP messages in .NET applications.
The key issue was the SoapHttpClientProtocol class. The researcher explained that attackers can use it in various ways, depending on their goals. This class inherits from HttpWebClientProtocol , like other proxy clients, but SoapHttpClientProtocol is the most common in the source code, so watchTowr focused on it.
On paper, it all seems harmless: both the class name and the official documentation indicate that it should handle SOAP messages over HTTP. A “simple, predictable, and secure” scenario , as Bazydło wryly observes. In practice, things are more complicated.
The class is responsible for setting the SOAP service target URL and invoking the SOAP method. The vulnerability occurs when an attacker manipulates this URL and the way SoapHttpClientProtocol creates the client . Although it is designed to work with HTTP requests, it internally uses a generalized mechanism that supports multiple protocols: HTTP/HTTPS, FTP, and even FILE.
If an attacker replaces the web address with a file system URL, the class won’t throw an error, but will simply write the SOAP request (sent via the POST method) directly to the file. “Why would a SOAP proxy ‘send’ requests to a local file? No sane person would expect to receive a valid SOAP response from the file system ,” the researcher notes.
This behavior can be exploited to write arbitrary files, including XML data from a SOAP request. A less destructive, but still unpleasant, scenario could involve NTLM relay attacks.
Bazydło initially reported the issue to Microsoft through the Zero Day Initiative (ZDI). According to him, the company responded that it wouldn’t fix the bug because developers shouldn’t allow the use of untrusted input data.
“As expected, Microsoft considered this a ‘feature’ rather than a vulnerability ,” he writes. ” The response placed the blame squarely on developers and users. According to Microsoft, the URL passed to SoapHttpClientProtocol should never be inspected by the user, and input validation is entirely the developer’s responsibility.”
Bazydło sarcastically adds that, of course, “all developers regularly decompile .NET Framework assemblies and study the internal implementation, knowing full well that an ‘HTTP client proxy’ can be tricked into writing data to disk. How could it be otherwise? “
A year later, the watchTowr team began analyzing Barracuda Service Center, a “widely used RMM platform,” which was also vulnerable to the technique described above. Researchers discovered that its SOAP API could be called without authentication and thus found an alternative exploit route: importing Web Services Description Language (WSDL) files.
The key point is that an attacker can provide an application with a URL pointing to a WSDL file under their control. The vulnerable application uses this description to generate an HTTP client proxy, after which Bazydło was able to achieve remote code execution in two ways: by uploading an ASPX web shell to the server and injecting the payload (a CSHTML web shell or PowerShell script) into the SOAP request body namespace.
This namespace-based technique, it claims, allowed for the successful exploitation of Ivanti Endpoint Manager and Umbraco 8 CMS . While the WatchTower report specifically mentions these products, researchers emphasize that the actual list of affected solutions is much larger.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
Redazione