Cyber Resilience

CVE-2025-34394

CriticalPublic PoCRCE

Published: 10 December 2025

Published
10 December 2025
Modified
23 December 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0112 78.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34394 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Barracuda Rmm. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-34394 is a critical vulnerability in Barracuda Service Center, a component of the Barracuda RMM solution, affecting versions prior to 2025.1.1. The issue stems from an exposed .NET Remoting service that lacks sufficient protection against deserialization of arbitrary types, enabling remote code execution (CWE-502). It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and comprehensive impact.

The vulnerability can be exploited by unauthenticated remote attackers with network access to the affected service. Exploitation requires low complexity and no user interaction, allowing attackers to achieve full remote code execution with high impacts on confidentiality, integrity, and availability.

Advisories recommend updating to Barracuda RMM version 2025.1.1 or later for mitigation, as detailed in the release notes (https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf). Further technical analysis is available in the Vulncheck advisory (https://www.vulncheck.com/advisories/barracuda-rmm-service-center-net-remoting-deserialization-rce) and on the Barracuda RMM product page (https://www.barracuda.com/products/msp/network-protection/rmm).

EU & UK References

Vulnerability details

Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service that is insufficiently protected against deserialization of arbitrary types. This can lead to remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an unauthenticated deserialization flaw in a network-exposed .NET Remoting service in a public-facing application (Barracuda Service Center), directly enabling remote code execution via T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-34393Same product: Barracuda Rmm
CVE-2025-34392Same product: Barracuda Rmm
CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2025-64353Shared CWE-502
CVE-2025-31047Shared CWE-502
CVE-2026-27096Shared CWE-502
CVE-2023-49886Shared CWE-502
CVE-2026-23542Shared CWE-502

Affected Assets

barracuda
rmm
≤ 2025.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 Flaw Remediation directly mitigates this CVE by requiring timely patching of the .NET Remoting deserialization vulnerability as recommended in the vendor update to version 2025.1.1.

prevent

SI-10 Information Input Validation prevents remote code execution by enforcing validation and sanitization of inputs to the exposed .NET Remoting service, blocking arbitrary type deserialization.

prevent

SC-7 Boundary Protection limits network access to the vulnerable .NET Remoting service through firewalls or other boundary controls, reducing the attack surface for unauthenticated remote exploitation.

References