CVE-2025-34394
Published: 10 December 2025
Summary
CVE-2025-34394 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Barracuda Rmm. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 Flaw Remediation directly mitigates this CVE by requiring timely patching of the .NET Remoting deserialization vulnerability as recommended in the vendor update to version 2025.1.1.
SI-10 Information Input Validation prevents remote code execution by enforcing validation and sanitization of inputs to the exposed .NET Remoting service, blocking arbitrary type deserialization.
SC-7 Boundary Protection limits network access to the vulnerable .NET Remoting service through firewalls or other boundary controls, reducing the attack surface for unauthenticated remote exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated deserialization flaw in a network-exposed .NET Remoting service in a public-facing application (Barracuda Service Center), directly enabling remote code execution via T1190: Exploit Public-Facing Application.
NVD Description
Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service that is insufficiently protected against deserialization of arbitrary types. This can lead to remote code execution.
Deeper analysisAI
CVE-2025-34394 is a critical vulnerability in Barracuda Service Center, a component of the Barracuda RMM solution, affecting versions prior to 2025.1.1. The issue stems from an exposed .NET Remoting service that lacks sufficient protection against deserialization of arbitrary types, enabling remote code execution (CWE-502). It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and comprehensive impact.
The vulnerability can be exploited by unauthenticated remote attackers with network access to the affected service. Exploitation requires low complexity and no user interaction, allowing attackers to achieve full remote code execution with high impacts on confidentiality, integrity, and availability.
Advisories recommend updating to Barracuda RMM version 2025.1.1 or later for mitigation, as detailed in the release notes (https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf). Further technical analysis is available in the Vulncheck advisory (https://www.vulncheck.com/advisories/barracuda-rmm-service-center-net-remoting-deserialization-rce) and on the Barracuda RMM product page (https://www.barracuda.com/products/msp/network-protection/rmm).
Details
- CWE(s)