CVE-2025-34153 is a critical vulnerability in Hyland Software's OnBase product, identified as CWE-502 (Deserialization of Untrusted Data). The vulnerability exists in the .NET Remoting TCP channel where the TimerServer endpoint listens on port 6031 and deserializes incoming data using the insecure .NET BinaryFormatter. This deserialization process does not validate or sanitize input, allowing attackers to craft malicious serialized payloads that execute arbitrary code on the target system. Exploitation requires no authentication or user interaction, and successful attacks run with NT AUTHORITY\SYSTEM privileges, effectively granting full control over the affected host. The vulnerability affects all versions prior to 17.0.2.87, though other versions may also be vulnerable. The flaw stems from the unsafe use of BinaryFormatter, which is known to be vulnerable to deserialization attacks if untrusted data is processed. The CVSS 4.0 base score is 10, reflecting the critical nature of this vulnerability with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the ease of exploitation and high privileges gained make this a severe threat. The vulnerability impacts organizations using OnBase for enterprise content management, document workflow, and business process automation, potentially leading to full system compromise, data theft, ransomware deployment, or lateral movement within networks.

For European organizations, the impact of CVE-2025-34153 is substantial. OnBase is widely used in sectors such as government, healthcare, finance, and legal services for managing sensitive documents and workflows. Exploitation could lead to complete system takeover, exposing confidential data, disrupting critical business processes, and enabling further attacks such as ransomware or espionage. The vulnerability's unauthenticated nature means attackers can exploit it remotely without prior access, increasing the risk of widespread attacks. Organizations with OnBase instances exposed to untrusted networks or insufficiently segmented internal networks are particularly vulnerable. The compromise of OnBase servers could also serve as a pivot point for attackers to infiltrate broader IT infrastructure. Given the criticality of the vulnerability and the high privileges obtained, the potential for operational disruption, regulatory non-compliance (e.g., GDPR breaches), and reputational damage is high.

1. Apply patches from Hyland Software immediately once available, prioritizing OnBase versions prior to 17.0.2.87. 2. Until patches are deployed, restrict network access to port 6031 using firewalls or network segmentation to limit exposure to trusted hosts only. 3. Disable or replace .NET Remoting usage in OnBase configurations if possible, as BinaryFormatter is inherently unsafe for untrusted data. 4. Monitor network traffic for unusual connections or payloads targeting port 6031 and implement intrusion detection rules specific to .NET deserialization attack patterns. 5. Conduct thorough audits of OnBase server configurations and logs to detect any signs of compromise. 6. Employ application whitelisting and endpoint protection to prevent execution of unauthorized code. 7. Educate IT staff about the risks of insecure deserialization and ensure secure coding practices in custom integrations with OnBase. 8. Consider isolating OnBase servers in dedicated network zones with strict access controls to minimize lateral movement risks.