Cyber Resilience

CVE-2025-34392

CriticalPublic PoC

Published: 10 December 2025

Published
10 December 2025
Modified
23 December 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0127 79.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34392 is a critical-severity Absolute Path Traversal (CWE-36) vulnerability in Barracuda Rmm. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-34392 is a critical vulnerability in Barracuda Service Center, a component of the Barracuda RMM solution, affecting versions prior to 2025.1.1. The issue arises because the application fails to verify the URL specified in an attacker-controlled Web Services Description Language (WSDL) file that it later loads. Classified under CWE-36 (Absolute Path Traversal), this flaw allows arbitrary file writes and remote code execution (RCE) via webshell upload. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severity.

Remote attackers can exploit CVE-2025-34392 over the network without authentication, privileges, or user interaction, requiring only low attack complexity. By supplying a malicious WSDL with a controlled URL, an attacker can trick the application into writing files to arbitrary locations, enabling webshell deployment and subsequent RCE on the targeted Barracuda Service Center instance.

Advisories recommend upgrading to Barracuda RMM version 2025.1.1 or later, as outlined in the official release notes. Watchtower Labs provides technical details on the underlying SOAP/WSDL proxy exploitation technique in .NET Framework applications, while Vulncheck's advisory elaborates on the absolute path traversal mechanism leading to RCE in Barracuda Service Center.

EU & UK References

Vulnerability details

Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not verify the URL defined in an attacker-controlled WSDL that is later loaded by the application. This can lead to arbitrary file write and remote…

more

code execution via webshell upload.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

CVE enables unauthenticated remote exploitation of a public-facing web service (T1190) via path traversal in WSDL, directly facilitating webshell upload for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-34394Same product: Barracuda Rmm
CVE-2025-34393Same product: Barracuda Rmm
CVE-2025-57790Shared CWE-36
CVE-2026-0846Shared CWE-36
CVE-2026-1330Shared CWE-36
CVE-2026-4373Shared CWE-36
CVE-2026-2753Shared CWE-36
CVE-2025-7846Shared CWE-36
CVE-2024-48248Shared CWE-36
CVE-2026-26337Shared CWE-36

Affected Assets

barracuda
rmm
≤ 2025.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs like the attacker-controlled WSDL URL, directly preventing path traversal and arbitrary file writes.

prevent

SI-2 mandates identification and remediation of flaws such as this unpatched WSDL verification failure, aligning with the vendor's upgrade advisory.

prevent

SI-9 restricts characteristics of inputs like WSDL URLs to approved formats or domains, mitigating exploitation of unverified paths.

References