CVE-2025-34153 is a critical remote code execution vulnerability affecting Hyland Software's OnBase product, specifically versions prior to 17.0.2.87, though other versions may also be impacted. The vulnerability arises from insecure deserialization (CWE-502) in the .NET Remoting TCP channel, where the TimerServer endpoint listens on port 6031 and deserializes data using the .NET BinaryFormatter. This deserialization process does not validate or sanitize input, allowing attackers to craft malicious serialized objects that, when deserialized, execute arbitrary code. The code executes under the NT AUTHORITY\SYSTEM context, granting full system privileges. The attack vector requires no authentication or user interaction, making it trivially exploitable remotely over the network. The vulnerability affects all deployments exposing the TimerServer endpoint, potentially allowing attackers to gain complete control over affected systems. Although no public exploits are known yet, the vulnerability's characteristics and CVSS 10.0 score indicate a critical threat. The root cause is the use of BinaryFormatter, which is widely recognized as insecure for deserializing untrusted data. Mitigation requires patching or disabling the vulnerable endpoint and restricting network access to port 6031.

The impact of CVE-2025-34153 is severe and far-reaching. Successful exploitation allows unauthenticated attackers to execute arbitrary code with SYSTEM-level privileges, effectively granting full control over the affected server. This can lead to complete compromise of the OnBase system, including unauthorized access to sensitive documents and data managed by OnBase, disruption of business-critical document workflows, and potential lateral movement within the victim network. The confidentiality, integrity, and availability of the affected systems are all at high risk. Organizations relying on OnBase for document management and workflow automation could face operational downtime, data breaches, and regulatory compliance violations. Given the ease of exploitation and high privileges gained, this vulnerability represents a critical threat to any organization using vulnerable OnBase versions, especially those exposing the service to untrusted networks.

To mitigate CVE-2025-34153, organizations should immediately upgrade Hyland OnBase to version 17.0.2.87 or later where the vulnerability is addressed. If patching is not immediately possible, restrict network access to port 6031 by implementing firewall rules to block inbound traffic from untrusted sources. Disable or isolate the TimerServer endpoint if feasible to prevent exposure. Conduct network segmentation to limit access to OnBase servers only to trusted internal systems. Monitor network traffic for unusual activity targeting port 6031 and implement intrusion detection/prevention systems with signatures for .NET deserialization attacks. Review and harden .NET Remoting configurations to avoid using insecure serialization mechanisms like BinaryFormatter. Additionally, apply the principle of least privilege to OnBase service accounts and regularly audit logs for suspicious behavior. Prepare incident response plans to quickly contain and remediate any exploitation attempts.