CVE-2025-34153 is a critical vulnerability affecting Hyland Software's OnBase product, specifically versions prior to 17.0.2.87, though other versions may also be impacted. The vulnerability arises from insecure deserialization of untrusted data within the .NET Remoting TCP channel. OnBase registers a listener on port 6031 with the URI endpoint 'TimerServer', implemented in the Hyland.Core.Timers.dll assembly. This endpoint uses the .NET BinaryFormatter to deserialize incoming data without proper validation or sanitization. BinaryFormatter is known to be unsafe for deserializing untrusted input because it can instantiate arbitrary objects and invoke their methods during deserialization. An attacker can exploit this by sending specially crafted serialized payloads to the TimerServer endpoint, leading to remote code execution (RCE) under the NT AUTHORITY\SYSTEM context, which is the highest privilege level on Windows systems. This vulnerability requires no authentication or user interaction, making it highly exploitable remotely. The CVSS 4.0 score is 10.0 (critical), reflecting the vulnerability's ease of exploitation, lack of required privileges, and the severe impact on confidentiality, integrity, and availability. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data), a common and dangerous software weakness. No known exploits are currently reported in the wild, but the criticality and straightforward exploitation vector make it a prime target for attackers once publicized. The lack of available patches at the time of reporting further increases risk for affected organizations.

For European organizations using Hyland OnBase, this vulnerability poses a severe risk. Successful exploitation leads to full system compromise with SYSTEM-level privileges, allowing attackers to execute arbitrary code, install malware, exfiltrate sensitive data, disrupt operations, or move laterally within networks. Given OnBase's role as an enterprise content management and document management system, attackers could access confidential business documents, personally identifiable information (PII), and other sensitive data protected under GDPR. The ability to execute code remotely without authentication means attackers can compromise systems at scale, potentially impacting multiple departments or subsidiaries. Disruption of OnBase services could halt critical business workflows, causing operational downtime and financial losses. Additionally, compromised systems could be used as footholds for further attacks against European infrastructure or supply chains. The criticality of this vulnerability demands immediate attention to prevent data breaches, regulatory penalties, and reputational damage.

1. Immediate mitigation should include network-level controls to restrict access to port 6031, allowing only trusted internal hosts or VPN users to connect. 2. Employ host-based firewalls or network segmentation to isolate OnBase servers from untrusted networks. 3. Monitor network traffic for unusual or unexpected connections to the TimerServer endpoint, and implement intrusion detection/prevention systems (IDS/IPS) signatures targeting .NET deserialization attack patterns. 4. Disable or restrict .NET Remoting TCP channel usage if feasible, or configure OnBase to avoid using BinaryFormatter for deserialization. 5. Apply vendor patches as soon as they become available; if no official patch exists, consider temporary workarounds such as disabling the vulnerable service or endpoint. 6. Conduct thorough audits of OnBase server logs for signs of exploitation attempts. 7. Educate IT and security teams about this vulnerability and ensure incident response plans are updated to address potential exploitation. 8. Consider deploying application-layer firewalls or runtime application self-protection (RASP) solutions that can detect and block malicious deserialization payloads. These targeted measures go beyond generic advice and focus on the specific attack vector and environment.