SOAPwn: New .NET Framework Primitives Enable RCE in Barracuda, Ivanti, and Potentially Thousands of Enterprise Apps
WatchTowr Labs disclosed SOAPwn at Black Hat Europe, revealing new .NET Framework primitives that allow remote code execution via HTTP client proxies and WSDL manipulation, already weaponized against Barracuda and Ivanti appliances.
At Black Hat Europe this year, researcher Piotr Bazydlo presented SOAPwn, a novel attack technique targeting the .NET Framework's SoapHttpClientProtocol class. The research, published today by WatchTowr Labs, demonstrates how an attacker can manipulate HTTP client proxies and WSDL definitions to achieve remote code execution (RCE) against a wide range of enterprise applications. Microsoft has classified the underlying issues as DONOTFIX, but WatchTowr successfully weaponized the primitives against real-world products, including Barracuda Service Center RMM (CVE-2025-34392) and Ivanti Endpoint Manager (CVE-2025-13659), both of which have since been patched.
The core vulnerability lies in the .NET Framework's HttpWebClientProtocol class, which serves as the parent for three HTTP client proxy types: SoapHttpClientProtocol, DiscoveryClientProtocol, and HttpSimpleClientProtocol. The method GetWebRequest creates a WebRequest object via WebRequest.Create without casting it to HttpWebRequest. This oversight allows an attacker who can influence the URL passed to the proxy to trigger an invalid cast vulnerability, potentially leading to arbitrary code execution. The research details how this can be exploited through WSDL manipulation and HTTP proxy configuration.
WatchTowr's investigation identified a broad attack surface due to the widespread use of .NET in enterprise environments. Beyond Barracuda and Ivanti, the researchers noted that Umbraco 8 CMS, Microsoft PowerShell, and SQL Server Integration Services are also potentially affected. The team emphasized that their review was 'extremely light' and that the list of affected products is anecdotal, suggesting that thousands of in-house and third-party .NET applications could be vulnerable. The whitepaper accompanying the presentation provides deeper technical analysis.
The most impactful demonstration involved Barracuda Service Center RMM, where the SOAPwn technique achieved pre-authenticated RCE. A video included in the blog post shows the exploit in action, highlighting the severity of the flaw. Barracuda addressed the issue in hotfix 2025.1.1, and Ivanti patched its Endpoint Manager. However, because Microsoft has declined to fix the underlying .NET Framework behavior, the onus falls on individual vendors to secure their implementations.
Microsoft's DONOTFIX classification means that the company does not consider the behavior a security vulnerability in the framework itself, but rather a design characteristic that applications must handle correctly. This stance places a significant burden on developers and vendors to audit their use of SoapHttpClientProtocol and related classes. WatchTowr argues that the widespread nature of the issue and the ease of exploitation make it a systemic risk, particularly for legacy .NET applications that may not receive timely updates.
The SOAPwn research underscores a growing trend where framework-level design flaws create cascading vulnerabilities across the software ecosystem. As enterprises continue to rely on .NET for critical infrastructure and management tools, the potential for exploitation remains high. WatchTowr recommends that organizations using .NET-based SOAP clients review their code for unsafe URL handling and apply vendor patches promptly. The full whitepaper and technical details are available on the WatchTowr Labs website.