Barracuda RMM Service Center WSDL-Based Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Barracuda RMM Service Center, in versions prior to 2025.1.1. The issue arises because the application does not validate URLs in attacker-controlled WSDL files, which can lead to arbitrary file writes and the execution of uploaded web shells. This vulnerability exploits a flaw in how the .NET Framework's HTTP client proxies handle WSDL imports, allowing for unauthorized access to the file system and execution of malicious code.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Barracuda RMM is running.

Reproduction

To reproduce this vulnerability, upload a malicious WSDL file to a Barracuda RMM instance running a version prior to 2025.1.1. The WSDL should be crafted to include a 'file' URL that points to a location accessible by the Barracuda RMM application. Once the WSDL is imported, the application will generate a SOAP client proxy that can be used to write data to the file system. By controlling the SOAP method arguments, it's possible to inject a web shell or other malicious payloads into the application.

Remediation

Users are advised to update Barracuda RMM to version 2025.1.1 or later, where this vulnerability has been patched.