Microsoft won’t fix .NET RCE bug affecting slew of enterprise apps, researchers say www.theregister.com/2025/12/1…
Security researchers have revealed a .NET security flaw thought to affect a host of enterprise-grade products that they say Microsoft refuses to fix.
Piotr Bazydło, principal vulnerability researcher at watchTowr, unveiled the findings at Black Hat Europe on Wednesday, claiming that several vendor and in-house solutions could be vulnerable to remote code execution (RCE) attacks due to errors in the way applications built on Microsoft’s .NET framework handle Simple Object Access Protocol (SOAP) messages.
The researcher identified the SoapHttpClientProtocol class as the primary culprit, explaining that it can be exploited in different ways to achieve an attacker’s goals. If an attacker can set the target URL to a file system instead of an HTTP web address, the class will ignore the error and then write the SOAP request (which uses the POST method) directly into the file. Bazydło wrote: “Wait, what. Why should a SOAP proxy be able to ‘send’ SOAP requests to a local file? Nobody on this planet expects to receive a valid SOAP response from the filesystem.”
