Executive Summary
In December 2025, security researchers at WatchTowr Labs revealed the 'SOAPwn' vulnerability (CVE-2025-34392 and CVE-2025-13659) impacting .NET Framework applications, including Barracuda Service Center RMM and Ivanti Endpoint Manager. Exploiting unsafe Web Services Description Language (WSDL) imports and HTTP client proxies, attackers could achieve remote code execution and arbitrary file writes on affected enterprise-grade systems. The flaw enabled threat actors to upload web shells, execute PowerShell scripts, or exfiltrate NTLM credentials via rogue SMB shares, potentially compromising entire application environments. Despite responsible disclosure, Microsoft stated the vulnerability is an application-level issue, leaving many unpatched systems at risk—especially those using components now at end-of-life such as Umbraco 8.
This incident underscores the widespread risks associated with dynamic SOAP and WSDL usage in legacy frameworks and highlights attackers' growing focus on exploiting insecure software supply chains and overlooked application behaviors. The public disclosure has intensified scrutiny of web service integrations and spurred new urgency around secure coding practices in software built atop widely adopted frameworks.
Why This Matters Now
With over a year since disclosure and limited vendor patches, SOAPwn demonstrates how fundamental flaws in prevalent enterprise frameworks can enable devastating attacks even without traditional vulnerabilities. As attackers increasingly probe older application architectures, organizations must act swiftly to audit SOAP/WSDL handling, update affected products, and eliminate untrusted input generation routes to minimize ongoing risk.
Attack Path Analysis
The attacker exploited vulnerable .NET SOAP services by supplying a malicious WSDL, leading to remote file upload on the targeted server (Initial Compromise). Through control of the filesystem, the attacker achieved code execution, potentially escalating privileges (Privilege Escalation). With execution on the host, the attacker could pivot to other workloads or network segments (Lateral Movement). Persistence and communication with external C2 servers were established using web shells or outbound connections (Command & Control). Sensitive data could be exfiltrated or credentials (e.g., NTLM hashes) leaked to external shares (Exfiltration). Ultimately, the attacker could deploy ransomware, disrupt operations, or leverage persistence for long-term access (Impact).
Kill Chain Progression
Initial Compromise
Description
Attacker gained foothold by submitting an attacker-controlled WSDL to a vulnerable .NET SOAP API, resulting in arbitrary file write via crafted URLs.
Related CVEs
CVE-2025-34392
CVSS 10Barracuda Service Center RMM versions prior to 2025.1.1 do not verify the URL defined in an attacker-controlled WSDL, leading to arbitrary file write and remote code execution via webshell upload.
Affected Products:
Barracuda Service Center RMM – < 2025.1.1
Exploit Status:
proof of conceptCVE-2025-13659
CVSS 8.8Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution.
Affected Products:
Ivanti Endpoint Manager – < 2024 SU4 SR1
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Phishing: Spearphishing Attachment
Command and Scripting Interpreter: PowerShell
Ingress Tool Transfer
Indicator Removal on Host: File Deletion
Windows Management Instrumentation
Remote Services: SMB/Windows Admin Shares
Create Account
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – System Components and Software Managed for Vulnerabilities
Control ID: 6.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Regulation (EU) 2022/2554) – ICT Systems Security Requirements
Control ID: Article 9
NIS2 Directive – Supply Chain Security and System Development
Control ID: Article 21(2)(d)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Automated Application Vulnerability Identification and Mitigation
Control ID: Application/Workload Pillar: Vulnerability Management
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
.NET SOAPwn vulnerability enables remote code execution through WSDL imports, affecting enterprise applications with SOAP clients and requiring immediate patching priorities.
Information Technology/IT
Critical application vulnerability impacts IT infrastructure through arbitrary file writes and web shell deployment, demanding zero trust segmentation and threat detection capabilities.
Financial Services
SOAP-based banking applications face remote code execution risks and NTLM credential theft, violating PCI compliance requirements and enabling lateral movement attacks.
Health Care / Life Sciences
Healthcare systems using .NET SOAP services vulnerable to data exfiltration and system compromise, threatening HIPAA compliance and patient data security.
Sources
- .NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDLhttps://thehackernews.com/2025/12/net-soapwn-flaw-opens-door-for-file.htmlVerified
- NVD - CVE-2025-34392https://nvd.nist.gov/vuln/detail/CVE-2025-34392Verified
- NVD - CVE-2025-13659https://nvd.nist.gov/vuln/detail/CVE-2025-13659Verified
- SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies and WSDLhttps://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/Verified
- Security Advisory EPM December 2025 for EPM 2024https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud Network Security Framework controls such as Zero Trust Segmentation, egress enforcement, threat detection, and east-west workload security would have significantly limited or detected exploitation, code execution, lateral movement, and data exfiltration, thereby reducing attack impact and dwell time across the kill chain.
Control: Inline IPS (Suricata)
Mitigation: Prevents or alerts on exploitation attempts using known signatures.
Control: Threat Detection & Anomaly Response
Mitigation: Detects new/abnormal script execution or privilege changes.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized inter-service traffic and lateral movement.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks malicious outbound traffic and unauthorized destinations.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized data transfer to external entities.
Enables rapid detection and containment of destructive behavior.
Impact at a Glance
Affected Business Functions
- IT Management
- Network Security
- Web Services
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive configuration files and user credentials due to arbitrary file write and remote code execution vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation across all SOAP/API workloads to eliminate broad east-west attack surfaces.
- • Deploy Egress Security & Policy Enforcement to restrict outbound connections and block C2/data exfiltration destinations.
- • Enable Threat Detection & Anomaly Response capabilities for real-time alerting on abnormal code execution or privilege use.
- • Protect all workloads with Inline IPS to automatically detect and block exploit attempts targeting exposed APIs and known vulnerabilities.
- • Establish centralized multicloud visibility to continuously monitor, audit, and enforce security posture across distributed infrastructure.
