Microsoft Faces Backlash for Leaving .NET Flaw Unpatched, Researchers Warn of RCE Risks Across Enterprise Apps

Microsoft Faces Backlash for Leaving .NET Flaw Unpatched, Researchers Warn of RCE Risks Across Enterprise Apps

Security researchers have disclosed a major .NET flaw they say could expose many enterprise applications to remote code execution (RCE) attacks — and claim Microsoft refuses to issue a fix.

The discovery, presented by watchTowr’s principal vulnerability researcher Piotr Bazydło at Black Hat Europe, reveals that applications built using the SoapHttpClientProtocol class in Microsoft’s .NET framework may behave unpredictably when handling SOAP messages. According to the research, this behavior can be abused to write arbitrary files or trigger more advanced attacks.

How the Flaw Works

The SoapHttpClientProtocol class is widely used across .NET applications to communicate with SOAP services. However, researchers found that the class supports multiple protocols — including HTTP, HTTPS, FTP, and even FILE — despite being documented as a simple HTTP handler.

If an attacker can manipulate the target URL of the SOAP client, they can redirect requests to the local file system. Instead of failing safely, the class will write the SOAP request directly into a file.

Bazydło called this behavior “unexpected and dangerous,” noting that no developer reasonably expects a SOAP request to write data to disk.

1

Microsoft Says It’s Not a Vulnerability

The issue was initially reported to Microsoft through the Zero Day Initiative (ZDI). However, Microsoft responded that developers simply should not allow untrusted input to control SOAP URLs.

According to Bazydło, Microsoft labeled the behavior a “feature,” shifting responsibility onto app developers — even though the behavior is undocumented and can impact widely used enterprise products.

Expanding the Attack Surface

watchTowr later found a second exploitation path while examining Barracuda Service Center: feeding malicious WSDL files to vulnerable apps. This allows attackers to generate their own client proxies and plant payloads such as ASPX or CSHTML webshells.

The same technique was shown to affect Ivanti Endpoint Manager and Umbraco 8 CMS, with researchers saying the real number of affected products is likely much larger due to .NET’s massive footprint.

Microsoft Reiterates Its Position

Even after multiple follow-up reports — including those involving Microsoft’s own products — the company repeated that developers should not accept untrusted input.

Bazydło summarized Microsoft’s stance as blaming the application first, and the user second, expressing frustration that the company is unwilling to update the framework’s behavior.