CVE-2025-34394 – Barracuda Service Center in the RMM solution pr... (How to Fix)

Q: What is the severity of CVE-2025-34394?

CVE-2025-34394 has a CVSS score of 9.8 (CRITICAL). Barracuda Service Center in the RMM solution prior to version 2025.1.1 exposes a .NET Remoting service that allows deserialization of arbitrary types, enabling remote attackers to execute arbitrary code. This affects organizations using Barracuda's RMM solution for remote monitoring and management. The vulnerability is remotely exploitable without authentication.

📋 TL;DR

Barracuda Service Center in the RMM solution prior to version 2025.1.1 exposes a .NET Remoting service that allows deserialization of arbitrary types, enabling remote attackers to execute arbitrary code. This affects organizations using Barracuda's RMM solution for remote monitoring and management. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

Barracuda RMM (Remote Monitoring and Management) Service Center

Versions: All versions prior to 2025.1.1

Operating Systems: Windows (as .NET Remoting is Windows-specific)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Barracuda Service Center component of the RMM solution when .NET Remoting is enabled.

📦 What is this software?

Rmm by Barracuda

View all CVEs affecting Rmm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to install malware, steal credentials, pivot to other systems, and maintain persistent access to the network.

🟠

Likely Case

Remote code execution leading to data theft, ransomware deployment, or unauthorized access to managed endpoints.

🟢

If Mitigated

Limited impact if network segmentation isolates the RMM server and strict access controls are in place.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects internet-facing RMM servers.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows lateral movement and compromise of managed endpoints.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Deserialization vulnerabilities in .NET Remoting are well-understood attack vectors with existing exploitation frameworks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.1.1

Vendor Advisory: https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf

Restart Required: Yes

Instructions:

1. Download Barracuda RMM version 2025.1.1 from the vendor portal. 2. Backup current configuration. 3. Run the installer to upgrade. 4. Restart the Barracuda Service Center service.

🔧 Temporary Workarounds

Disable .NET Remoting Service

windows

Disable the vulnerable .NET Remoting endpoint if not required for functionality.

Stop-Service -Name "Barracuda Service Center"
Modify configuration to disable .NET Remoting endpoint

Network Segmentation

windows

Restrict network access to the Barracuda Service Center port (default 9000) using firewall rules.

New-NetFirewallRule -DisplayName "Block Barracuda RMM" -Direction Inbound -LocalPort 9000 -Protocol TCP -Action Block

🧯 If You Can't Patch

Implement strict network segmentation to isolate the Barracuda RMM server from other critical systems.
Monitor network traffic to the Barracuda Service Center port (default 9000) for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check Barracuda RMM version in the administration console or via the installed program version. Versions below 2025.1.1 are vulnerable.

Check Version:

Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Barracuda RMM*"} | Select-Object Name, Version

Verify Fix Applied:

Verify the version shows 2025.1.1 or higher in the administration console and test that .NET Remoting functionality still works if required.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from Barracuda Service Center
Failed authentication attempts to the .NET Remoting service
Abnormal network connections from the RMM server

Network Indicators:

Suspicious traffic to port 9000 (default .NET Remoting port) from unexpected sources
Unusual outbound connections from the RMM server

SIEM Query:

source="Barracuda RMM" AND (event_id=4688 OR process_name="powershell.exe" OR process_name="cmd.exe")

📊 Metadata

CVE ID: CVE-2025-34394

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.47% exploit probability (64.2th percentile)

Published: December 10, 2025

Last Updated: December 23, 2025

🔗 References

https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf Release Notes
https://www.barracuda.com/products/msp/network-protection/rmm Product
https://www.vulncheck.com/advisories/barracuda-rmm-service-center-net-remoting-deserialization-rce Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34394, you might also want to check these: