CVE-2025-34392
📋 TL;DR
This vulnerability in Barracuda Service Center allows attackers to upload malicious WSDL files that bypass URL validation, leading to arbitrary file writes and remote code execution via webshells. It affects all Barracuda RMM Service Center installations running versions prior to 2025.1.1. Organizations using Barracuda's RMM solution for managed service provider operations are at risk.
💻 Affected Systems
- Barracuda RMM Service Center
📦 What is this software?
Rmm by Barracuda
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining persistent remote access, data exfiltration, lateral movement across managed endpoints, and complete control over the RMM infrastructure.
Likely Case
Attackers deploy webshells to execute arbitrary commands, install malware, steal credentials, and pivot to managed client systems through the RMM platform.
If Mitigated
Limited impact with proper network segmentation, but still potential for initial foothold in the RMM management plane.
🎯 Exploit Status
Detailed technical analysis and exploitation methodology published by WatchTowr Labs. The vulnerability leverages SOAP/WSDL processing flaws in .NET Framework applications.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.1.1
Vendor Advisory: https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf
Restart Required: Yes
Instructions:
1. Download Barracuda RMM version 2025.1.1 from official sources. 2. Backup current configuration and databases. 3. Run the installer with administrative privileges. 4. Restart the Barracuda Service Center service. 5. Verify successful update through the management console.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to Barracuda Service Center to only trusted management IP addresses
WSDL Processing Disable
windowsDisable automatic WSDL processing if not required for functionality
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Barracuda RMM from internet and untrusted networks
- Deploy web application firewall (WAF) rules to block suspicious SOAP/WSDL requests and file upload patterns
🔍 How to Verify
Check if Vulnerable:
Check Barracuda Service Center version in the management console under Help > About. If version is below 2025.1.1, the system is vulnerable.Check Version:
Check the Barracuda Service Center web interface or examine installed programs in Windows Control Panel.Verify Fix Applied:
Confirm version shows 2025.1.1 or higher in the management console. Test WSDL processing with controlled test files to ensure URL validation is enforced.📡 Detection & Monitoring
Log Indicators:
- Unusual WSDL file uploads
- SOAP requests with external URLs
- Webshell file creation in web directories
- Unusual process execution from web server context
Network Indicators:
- HTTP POST requests with WSDL content to Barracuda Service Center endpoints
- Outbound connections from Barracuda server to unexpected external IPs
SIEM Query:
source="barracuda-rmm" AND (event_type="file_upload" AND file_extension="wsdl") OR (process_name="w3wp.exe" AND command_line CONTAINS "powershell" OR "cmd")🔗 References
- https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf
- https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/
- https://www.barracuda.com/products/msp/network-protection/rmm
- https://www.vulncheck.com/advisories/barracuda-rmm-service-center-absolute-path-traversal-rce
