A security research post detailing 'SOAPwn', a class of vulnerabilities in .NET Framework HTTP client proxies (SoapHttpClientProtocol, DiscoveryClientProtocol, HttpSimpleClientProtocol). The root cause is an invalid cast bug in HttpWebClientProtocol.GetWebRequest: it calls WebRequest.Create without enforcing HTTP schemes, allowing file:// and UNC paths. This enables NTLM relaying, arbitrary file writes, and ultimately remote code execution via ASPX/CSHTML webshell drops. The attack surface is dramatically widened when applications use ServiceDescriptionImporter to generate SOAP proxies from attacker-controlled WSDL files, since the WSDL's service address is embedded verbatim into the generated proxy URL. Affected products include Barracuda Service Center RMM (CVE-2025-34392, patched), Ivanti Endpoint Manager (CVE-2025-13659, patched), Umbraco 8 CMS, Microsoft PowerShell, and SQL Server Integration Services. Microsoft declined to fix the framework-level issue, classifying it as an application responsibility. The post includes a full exploit HTTP request for Barracuda and code walkthroughs for Umbraco.
Table of contents
HttpWebClientProtocol - Invalid Cast VulnerabilityPractical Exploitation #1 - NTLM RelayingPractical Exploitation #2 - Arbitrary File WriteReporting to Microsoft #1 - No FixExploitation Through WSDL ImportsPractical Exploitation #3 - WSDL ImportsReporting to Microsoft #2 - WSDL UpdateList of Discovered Vulnerable CodebasesExploitation - Barracuda Service Center RMM RCE (CVE-2025-34392)Exploitation - Umbraco 8 CMSFinal Microsoft ResponseFinal ThoughtsSort: