The SOAPwn vulnerability, codenamed by WatchTowr Labs, exploits a fundamental flaw in the .NET Framework's handling of SOAP clients and WSDL imports. Specifically, the issue stems from the ability of attackers to supply malicious WSDL files that dynamically generate HTTP client proxies without proper URL validation. This allows attackers to manipulate these proxies to perform arbitrary file writes by using file system handlers with URLs such as "file://<attacker-controlled-path>". Consequently, attackers can overwrite existing files or write new files, including web shells (ASPX, CSHTML) or PowerShell scripts, leading to remote code execution (RCE) on affected systems. Additionally, attackers can leverage UNC paths to write SOAP requests to SMB shares they control, enabling NTLM challenge capture and relay attacks. The vulnerability impacts enterprise-grade applications built on .NET, including Barracuda Service Center RMM (patched in version 2025.1.1, CVE-2025-34392) and Ivanti Endpoint Manager (patched in 2024 SU4 SR1, CVE-2025-13659). However, Microsoft has declined to issue a patch for the .NET Framework itself, citing that the root cause lies in application behavior and improper handling of untrusted input. The flaw was publicly presented at Black Hat Europe 2025 in London. Exploitation requires the attacker to supply or influence the WSDL URL consumed by the application, which is often possible in environments where SOAP clients dynamically load WSDLs from external sources. The vulnerability is critical due to its ability to achieve unauthenticated remote code execution, arbitrary file writes, and facilitate NTLM relay attacks, posing a severe risk to enterprise environments relying on .NET SOAP services.

For European organizations, the SOAPwn vulnerability poses a critical threat to confidentiality, integrity, and availability. Enterprises using affected products or custom .NET SOAP services may face remote code execution attacks that allow adversaries to deploy web shells or malicious scripts, leading to full system compromise. The ability to overwrite arbitrary files can disrupt business operations, corrupt data, or enable persistent backdoors. NTLM relay facilitation increases the risk of lateral movement and credential theft within corporate networks. Given the widespread use of .NET in European enterprises, especially in sectors like finance, healthcare, manufacturing, and government, the impact could be extensive. Organizations relying on Barracuda Service Center RMM or Ivanti Endpoint Manager are at immediate risk if not updated. The lack of a framework-level patch means many custom or less-maintained applications remain vulnerable, increasing the attack surface. The threat also complicates incident response and recovery due to stealthy web shell deployments and potential credential compromise. Overall, the vulnerability could lead to significant data breaches, operational disruption, and regulatory non-compliance under GDPR if exploited.

European organizations should immediately apply vendor patches where available, specifically upgrading Barracuda Service Center RMM to version 2025.1.1 and Ivanti Endpoint Manager to 2024 SU4 SR1 or later. For other affected applications, organizations must audit and restrict the consumption of untrusted WSDL files, ensuring that SOAP clients do not dynamically load WSDLs from attacker-controlled sources. Implement strict input validation and URL whitelisting for any WSDL imports. Network segmentation and SMB share access controls should be enforced to prevent unauthorized write access and limit NTLM relay opportunities. Employ monitoring for unusual file writes in web application directories and enable logging of SOAP client activities to detect exploitation attempts. Use application-layer firewalls or WAFs to block suspicious SOAP requests and malformed WSDL URLs. Conduct code reviews and penetration testing focused on SOAP client usage in .NET applications. Finally, educate developers and administrators about the risks of consuming untrusted inputs in SOAP services and enforce secure coding practices to prevent similar issues.