CVE-2025-58384
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on DOXENSE WATCHDOC systems by exploiting insecure deserialization in the .NET Remoting library within the administration interface. Attackers can achieve full system compromise without authentication. Organizations using WATCHDOC versions before 6.1.1.5332 are affected.
💻 Affected Systems
- DOXENSE WATCHDOC
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with administrative privileges, data exfiltration, ransomware deployment, and lateral movement across the network.
Likely Case
Remote code execution leading to installation of backdoors, credential theft, and persistence mechanisms on vulnerable WATCHDOC servers.
If Mitigated
Limited impact if proper network segmentation, application firewalls, and least privilege principles are implemented.
🎯 Exploit Status
Deserialization vulnerabilities in .NET Remoting are well-documented attack vectors with known exploitation patterns. The CVSS 10.0 score indicates trivial exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.1.5332
Vendor Advisory: https://doc.doxense.com/Watchdoc/J_Securite/cve-2025-58384.htm
Restart Required: Yes
Instructions:
1. Download the update from https://update.doxense.com/ 2. Backup current configuration and data 3. Install version 6.1.1.5332 or later 4. Restart the WATCHDOC service 5. Verify the update was successful
🔧 Temporary Workarounds
Disable .NET Remoting
windowsDisable .NET Remoting in the WATCHDOC configuration if not required for functionality
Modify Watchdoc configuration file to set remotingEnabled=false
Network Segmentation
windowsRestrict access to WATCHDOC administration interface using firewall rules
netsh advfirewall firewall add rule name="Block_Watchdoc_Admin" dir=in action=block protocol=TCP localport=[ADMIN_PORT]
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure of the administration interface
- Deploy application-level firewalls or WAF rules to detect and block deserialization attacks
🔍 How to Verify
Check if Vulnerable:
Check the WATCHDOC version in the administration interface or configuration files. If version is below 6.1.1.5332, the system is vulnerable.Check Version:
Check the Watchdoc application properties or configuration file for version informationVerify Fix Applied:
Verify the version shows 6.1.1.5332 or higher in the administration interface and test that the .NET Remoting endpoint no longer accepts malicious payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual .NET Remoting requests in application logs
- Deserialization errors or exceptions
- Unexpected process creation from WATCHDOC service
Network Indicators:
- Unusual traffic to WATCHDOC administration port
- Suspicious serialized .NET objects in network traffic
SIEM Query:
source="watchdoc.log" AND ("Deserialization" OR "Remoting" OR "TypeConfusion")