Recent research has revealed a significant vulnerability in the .NET Framework, termed SOAPwn, which allows attackers to exploit enterprise applications for remote code execution. WatchTowr Labs identified this "invalid cast vulnerability," affecting products like Barracuda Service Center RMM, Ivanti Endpoint Manager, and Umbraco 8. Given the widespread use of .NET, more applications could be vulnerable. The research was presented by security researcher Piotr Bazydlo at the Black Hat Europe conference. The vulnerability arises from how applications handle Simple Object Access Protocol (SOAP) messages, particularly through Web Services Description Language (WSDL) imports. Attackers can manipulate .NET Framework HTTP client proxies to execute arbitrary code by injecting controlled URLs. For instance, using a URL like "file://<attacker-controlled input>" can lead to unauthorized file writes and code execution. In one scenario, a hacker could direct a SOAP request to an SMB share they control, potentially capturing NTLM authentication challenges. Bazydlo also pointed out a more dangerous exploitation method tied to the ServiceDescriptionImporter class, which fails to validate URLs from generated HTTP client proxies. By providing a malicious WSDL file, an attacker can drop web shells or PowerShell scripts into vulnerable applications, gaining remote access. Microsoft has not issued a fix for this vulnerability, arguing that it results from application behavior rather than a flaw in the framework itself. However, Barracuda and Ivanti have patched their affected products, while Umbraco 8 remains vulnerable as it reached its end-of-life in February 2025.