CVE-2025-27816

CriticalRCE

Published: 07 March 2025

Published

07 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0031 54.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27816 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Veritas (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 45.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-7 Least Functionality good match

prevent

Disabling the unnecessary Plugin_Host service implements least functionality and directly eliminates the vulnerable .NET remoting endpoint as recommended by the vendor.

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires applying vendor advisories, such as disabling the Plugin_Host service, to correct the insecure deserialization vulnerability.

SI-10 Information Input Validation partial match

prevent

Validating untrusted inputs to the .NET remoting endpoint prevents exploitation of insecure deserialization of potentially malicious messages.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Insecure deserialization in the .NET remoting endpoint of the Plugin_Host service directly enables unauthenticated remote exploitation of the service for code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability was discovered in the Arctera InfoScale 7.0 through 8.0.2 where a .NET remoting endpoint can be exploited due to the insecure deserialization of potentially untrusted messages. The vulnerability is present in the Windows Plugin_Host service, which runs on…

all the servers where InfoScale is installed. The service is used only when applications are configured for Disaster Recovery (DR) using the DR wizard. Disabling the Plugin_Host service manually will eliminate the vulnerability.

Deeper analysisAI

CVE-2025-27816 is a vulnerability discovered in Arctera InfoScale versions 7.0 through 8.0.2, affecting the Windows Plugin_Host service that runs on all servers where InfoScale is installed. The flaw arises from insecure deserialization of potentially untrusted messages in a .NET remoting endpoint. This service is used only when applications are configured for Disaster Recovery (DR) using the DR wizard.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it exploitable over the network by unauthenticated attackers requiring low complexity and no user interaction. Exploitation of the deserialization issue in the Plugin_Host service can result in high impacts to confidentiality, integrity, and availability.

The Veritas security advisory (ARC25-002) at https://www.veritas.com/content/support/en_US/security/ARC25-002 notes that manually disabling the Plugin_Host service eliminates the vulnerability.