CVE-2025-34393

CriticalPublic PoC

Published: 10 December 2025

Published

10 December 2025

Modified

23 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0052 66.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not correctly verify the name of an attacker-controlled WSDL service, leading to insecure reflection. This can result in remote code execution through either invocation of…

arbitrary methods or deserialization of untrusted types.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the improper verification of attacker-controlled WSDL service names by requiring validation of externally-controlled inputs to prevent insecure reflection and deserialization leading to RCE.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, such as patching Barracuda Service Center to version 2025.1.1 or later, to eliminate the specific vulnerability enabling arbitrary method invocation or untrusted deserialization.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Requires organizations to receive, disseminate, and act on security alerts and advisories like those for CVE-2025-34393, prompting upgrades to mitigate the critical RCE risk.

Security SummaryAI

CVE-2025-34393 affects Barracuda Service Center, a component of the Barracuda RMM solution in versions prior to 2025.1.1. The vulnerability stems from improper verification of the name of an attacker-controlled WSDL service, resulting in insecure reflection. This flaw, classified under CWE-470 (Use of Externally-Controlled Input to Select Classes or Code), enables remote code execution either through invocation of arbitrary methods or deserialization of untrusted types. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

The vulnerability is exploitable remotely over the network with low complexity, requiring no authentication, privileges, or user interaction. Any unauthenticated attacker with network access to the affected Barracuda Service Center instance can trigger insecure reflection by supplying a malicious WSDL service, leading to full remote code execution. Successful exploitation grants high-impact confidentiality, integrity, and availability compromises within the unchanged security scope.

Advisories recommend upgrading to Barracuda RMM version 2025.1.1 or later, as detailed in the release notes available at the Barracuda download site. The Vulncheck advisory provides further technical analysis on the insecure reflection leading to RCE in Barracuda Service Center, while the official Barracuda RMM product page offers context on the solution's deployment.

Details

CWE(s): CWE-470

Affected Products

barracuda

rmm

≤ 2025.1.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote code execution in a network-accessible service (Barracuda Service Center), directly mapping to exploitation of public-facing applications for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf
Release Notes · disclosure@vulncheck.com
https://www.barracuda.com/products/msp/network-protection/rmm
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/barracuda-rmm-service-center-insecure-reflection-rce
Third Party Advisory · disclosure@vulncheck.com