CVE-2025-66631 is a deserialization vulnerability classified under CWE-502 affecting the CSLA .NET framework developed by MarimerLLC. Specifically, versions 5.5.4 and below that utilize the WcfProxy component are vulnerable. WcfProxy relies on the NetDataContractSerializer (NDCS), which is now obsolete and insecure for deserializing untrusted data. This serializer can deserialize malicious payloads crafted by attackers, leading to remote code execution (RCE) without requiring authentication or user interaction. The vulnerability allows an attacker to send specially crafted serialized data to the vulnerable service endpoint, which when deserialized, executes arbitrary code in the context of the application. This can lead to full system compromise, data theft, or disruption of services. The vulnerability has a CVSS 4.0 base score of 7.2, reflecting its high impact and ease of exploitation over the network. The issue is resolved in CSLA .NET version 6.0.0 by removing the WcfProxy usage or replacing the serialization mechanism with a safer alternative. No known exploits are currently reported in the wild, but the vulnerability's characteristics make it a significant risk for affected deployments.

For European organizations, this vulnerability poses a serious threat, especially those relying on CSLA .NET for business-critical applications involving sensitive data processing. Successful exploitation can lead to remote code execution, enabling attackers to gain unauthorized access, manipulate or exfiltrate confidential information, disrupt business operations, or deploy further malware. The lack of required authentication and user interaction increases the risk of automated attacks and wormable exploits. Industries such as finance, healthcare, and government, which often use .NET frameworks for internal and external applications, could face severe operational and reputational damage. Additionally, compliance with GDPR and other data protection regulations may be jeopardized if personal data is compromised. The vulnerability also raises concerns about supply chain security if third-party applications incorporate vulnerable CSLA versions.

European organizations should prioritize upgrading all CSLA .NET framework instances to version 6.0.0 or later, where the vulnerability is fixed. If immediate upgrading is not feasible, they should remove the WcfProxy component from data portal configurations to eliminate the attack surface. Conduct thorough code audits and dependency checks to identify all applications using vulnerable CSLA versions. Implement network-level protections such as firewall rules and intrusion detection systems to monitor and restrict access to endpoints exposing WcfProxy services. Employ application-layer input validation and serialization hardening techniques to prevent deserialization of untrusted data. Regularly update and patch all related software components and maintain an inventory of affected assets. Finally, conduct security awareness and incident response training focused on deserialization vulnerabilities and remote code execution threats.