Find notable cyber news and cases, enriched with sources, timelines, and signals.

SOAPwn research on .NET WSDL proxy abuse enabling file writes and RCE

Technical Analysis
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

Researchers exposed SOAPwn, a .NET Framework exploitation path that turns attacker-controlled WSDL input and HTTP client proxies into arbitrary file writes and remote code execution. The issue matters because the same primitive can also support NTLM challenge capture and file-overwrite abuse in enterprise applications built on .NET. A second path through ServiceDescriptionImporter widens the attack surface when generated proxies fail to validate the URL. The findings are actionable for defenders because they identify concrete code paths, payload forms, and proxy behaviors to monitor.

Related Happenings

Windows search URI handler NTLMv2 hash disclosure security flaw (CVE-2026-33829)

Vulnerability
H score24 First: 03.06.2026 13:18 Last: 03.06.2026 13:18 Sources 1

About this happening: **Windows search: URI handler** has an **unpatched NTLMv2 hash disclosure flaw** that can let an attacker capture a user's Net-NTLMv2 hash through a crafted `search:` link. The we...

Windows RPC PhantomRPC local privilege escalation flaw

Vulnerability
H score19 First: 28.04.2026 14:31 Last: 28.04.2026 14:31 Sources 1

About this happening: **PhantomRPC** in **Windows RPC** can let a local attacker elevate to **System** across **all Windows versions**, creating a high-impact privilege-escalation path. The flaw abuses...

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
H score39 First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

External Microsoft Teams helpdesk-impersonation campaign

Campaign
H score32 First: 20.04.2026 18:11 Last: 20.04.2026 18:11 Sources 1

About this happening: A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...

ClickFix DNS-based nslookup staging campaign

Campaign
H score35 First: 15.02.2026 16:10 Last: 15.02.2026 16:10 Sources 1

About this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...

Timeline

  1. 10.12.2025 21:21 2 articles · 7mo ago

    SOAPwn disclosure and .NET proxy abuse findings

    Initial Disclosure

    WatchTowr Labs disclosed SOAPwn at Black Hat Europe in London, describing a .NET Framework exploitation primitive that abuses rogue WSDL imports, HTTP client proxies, and ServiceDescriptionImporter behavior to turn SOAP handling into arbitrary file writes, NTLM challenge capture, and remote code execution; the affected products named in the research include Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8, with vendor fixes noted for Barracuda Service Center RMM 2025.1.1 and Ivanti EPM 2024 SU4 SR1 after Microsoft declined a platform-level fix following responsible disclosure in March 2024 and July 2025.

    Show sources