SOAPwn research on .NET WSDL proxy abuse enabling file writes and RCE
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers exposed SOAPwn, a .NET Framework exploitation path that turns attacker-controlled WSDL input and HTTP client proxies into arbitrary file writes and remote code execution. The issue matters because the same primitive can also support NTLM challenge capture and file-overwrite abuse in enterprise applications built on .NET. A second path through ServiceDescriptionImporter widens the attack surface when generated proxies fail to validate the URL. The findings are actionable for defenders because they identify concrete code paths, payload forms, and proxy behaviors to monitor.
Related Happenings
Windows RPC PhantomRPC local privilege escalation flaw
Vulnerability
First: 28.04.2026 14:31
Last: 28.04.2026 14:31
Sources 1
About this happening:
**PhantomRPC** in **Windows RPC** can let a local attacker elevate to **System** across **all Windows versions**, creating a high-impact privilege-escalation path. The flaw abuses...
Windows RPC PhantomRPC local privilege escalation flaw
VulnerabilityAbout this happening: **PhantomRPC** in **Windows RPC** can let a local attacker elevate to **System** across **all Windows versions**, creating a high-impact privilege-escalation path. The flaw abuses...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
External Microsoft Teams helpdesk-impersonation campaign
Campaign
First: 20.04.2026 18:11
Last: 20.04.2026 18:11
Sources 1
About this happening:
A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...
External Microsoft Teams helpdesk-impersonation campaign
CampaignAbout this happening: A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...
ClickFix DNS-based nslookup staging campaign
Campaign
First: 15.02.2026 16:10
Last: 15.02.2026 16:10
Sources 1
About this happening:
The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
ClickFix DNS-based nslookup staging campaign
CampaignAbout this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
LummaStealer infection surge via CastleLoader
Malware Activity
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Timeline
-
10.12.2025 21:21 2 articles · 5mo ago
SOAPwn disclosure and .NET proxy abuse findings
Initial DisclosureWatchTowr Labs disclosed SOAPwn at Black Hat Europe in London, describing a .NET Framework exploitation primitive that abuses rogue WSDL imports, HTTP client proxies, and ServiceDescriptionImporter behavior to turn SOAP handling into arbitrary file writes, NTLM challenge capture, and remote code execution; the affected products named in the research include Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8, with vendor fixes noted for Barracuda Service Center RMM 2025.1.1 and Ivanti EPM 2024 SU4 SR1 after Microsoft declined a platform-level fix following responsible disclosure in March 2024 and July 2025.
Show sources
- .NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL — thehackernews.com — 10.12.2025 21:21
- .NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL — thehackernews.com — 10.12.2025 21:21