CVE-2020-25258
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Hyland OnBase servers by sending specially crafted SOAP messages that exploit insecure deserialization in ASP.NET BinaryFormatter. It affects all OnBase versions up to 16.0.2.83, 17.0.2.109, 18.0.0.37, 19.8.16.1000, and 20.3.10.1000.
💻 Affected Systems
- Hyland OnBase
📦 What is this software?
Onbase by Hyland
Onbase by Hyland
Onbase by Hyland
Onbase by Hyland
Onbase by Hyland
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with remote code execution leading to data theft, ransomware deployment, or lateral movement across the network.
Likely Case
Remote code execution allowing attackers to install backdoors, steal sensitive document data, or disrupt business operations.
If Mitigated
Limited impact if proper network segmentation, application firewalls, and input validation are in place.
🎯 Exploit Status
Public exploit details available in Full Disclosure mailing list. Attack requires sending malicious SOAP payloads to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions above the affected ranges: 16.0.2.84+, 17.0.2.110+, 18.0.0.38+, 19.8.16.1001+, 20.3.10.1001+
Vendor Advisory: https://www.hyland.com/en/security-advisories
Restart Required: Yes
Instructions:
1. Obtain updated OnBase version from Hyland support. 2. Backup current installation. 3. Apply patch following Hyland's upgrade documentation. 4. Restart OnBase services. 5. Verify fix by testing SOAP endpoints.
🔧 Temporary Workarounds
Block SOAP endpoints at network perimeter
windowsRestrict access to OnBase SOAP endpoints using firewall rules or WAF.
# Example Windows Firewall rule to block port 80/443 to OnBase SOAP paths
netsh advfirewall firewall add rule name="Block OnBase SOAP" dir=in action=block protocol=TCP localport=80,443 remoteip=any program="C:\Program Files\Hyland\OnBase\"
# Adjust paths and ports as needed
Implement input validation for SOAP messages
allAdd custom validation to reject malformed SOAP requests before deserialization.
# Requires custom code modification in OnBase SOAP handlers
# Implement XML schema validation or size/pattern checks on incoming SOAP messages
🧯 If You Can't Patch
- Isolate OnBase servers in a segmented network with strict inbound/outbound firewall rules.
- Implement a Web Application Firewall (WAF) with rules to detect and block malicious SOAP payloads.
🔍 How to Verify
Check if Vulnerable:
Check OnBase version via Administration Client: Help → About OnBase. Compare against affected version ranges.Check Version:
In OnBase Administration Client: Navigate to Help → About OnBase to view version.Verify Fix Applied:
After patching, verify version is above affected ranges. Test SOAP endpoints with safe payloads to ensure proper deserialization.📡 Detection & Monitoring
Log Indicators:
- Unusual SOAP request patterns in IIS logs
- Errors related to BinaryFormatter.Deserialize in application logs
- Unexpected process creation from OnBase services
Network Indicators:
- Malformed SOAP messages containing serialized .NET objects
- Unusual outbound connections from OnBase servers
SIEM Query:
source="IIS" AND (uri_path="*.asmx" OR uri_path="*soap*") AND (status=500 OR bytes_received>100000) | stats count by src_ip