QwikSec

Security Database

CVE

CWE

Training

CVE-2025-34392

Published: Dec 10, 2025

Modified: May 14, 2026

PUBLISHED

Description

Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not verify the URL defined in an attacker-controlled WSDL that is later loaded by the application. This can lead to arbitrary file write and remote code execution via webshell upload.

Vendor	Product	Versions
Barracuda Networks	RMM	affected `2025.1 - < 2025.1.1`

Weaknesses (CWE)

References

https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf

vendor-advisory

patch

https://www.barracuda.com/products/msp/network-protection/rmm

product

https://www.vulncheck.com/advisories/barracuda-rmm-service-center-absolute-path-traversal-rce

third-party-advisory

https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/

exploit

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.