CVE-2025-34153 is a critical vulnerability affecting Hyland Software's OnBase document management system versions prior to 17.0.2.87, with other versions potentially impacted. The vulnerability stems from insecure deserialization of untrusted data via the .NET Remoting TCP channel. OnBase registers a listener on TCP port 6031 exposing the TimerServer endpoint, implemented in Hyland.Core.Timers.dll, which deserializes input using the .NET BinaryFormatter. This deserialization process is unsafe because it allows attackers to craft malicious serialized objects that, when deserialized, execute arbitrary code within the context of the OnBase service. The code execution occurs with NT AUTHORITY\SYSTEM privileges, granting full control over the affected system. Exploitation requires no authentication or user interaction, making it trivially exploitable remotely over the network. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data), a common and dangerous flaw in .NET applications that use BinaryFormatter without proper input validation or sandboxing. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) reflects a network attack vector with low complexity, no privileges or user interaction needed, and high impact on confidentiality, integrity, and availability. No patches were linked at the time of publication, and no known exploits have been observed in the wild, but the critical nature demands immediate attention from affected organizations.

The impact of CVE-2025-34153 on European organizations is severe. Successful exploitation allows attackers to gain full system control with NT AUTHORITY\SYSTEM privileges, enabling them to execute arbitrary code, install malware, steal sensitive data, disrupt business operations, and move laterally within networks. Given OnBase's role in managing critical documents and workflows, compromise could lead to exposure of confidential information, regulatory non-compliance, and operational downtime. The unauthenticated and remote nature of the exploit increases the risk of widespread attacks, especially in environments where the vulnerable service is exposed to untrusted networks. European organizations in sectors such as government, healthcare, finance, and legal services, which often rely on OnBase for document management, are particularly vulnerable. The potential for ransomware deployment or espionage following exploitation also raises significant concerns for data privacy and national security within Europe.

Organizations should immediately inventory their OnBase deployments to identify affected versions and isolate systems exposing TCP port 6031. Network segmentation and firewall rules should be applied to restrict access to the TimerServer endpoint to trusted internal hosts only. Until official patches are released, consider disabling or blocking the .NET Remoting TCP channel if feasible, or applying application-layer controls to validate and sanitize incoming serialized data. Monitor network traffic for unusual activity targeting port 6031 and deploy intrusion detection/prevention systems with signatures for suspicious deserialization attempts. Implement strict endpoint protection and behavior monitoring to detect exploitation attempts. Once Hyland releases patches or updates, apply them promptly. Additionally, review and harden .NET application configurations to avoid use of insecure BinaryFormatter deserialization and adopt safer serialization frameworks. Conduct security awareness training to ensure rapid incident response if exploitation is suspected.