Critical "SOAPwn" Vulnerability in .NET Enables Authentication Bypass and Remote Code Execution

.NET "SOAPwn" Flaw Allows Authentication Bypass and RCE in Enterprise Apps

CRITICAL
December 20, 2025
5m read
VulnerabilityThreat IntelligencePatch Management

Related Entities

Organizations

Microsoft

Products & Tech

.NETSOAP

Other

SOAPwn

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1500Collection

Data from Information Repositories

T1059.003Execution

Windows Command Shell

Full Report

Executive Summary

A severe vulnerability, dubbed "SOAPwn," was disclosed on December 19, 2025, affecting .NET applications that use SOAP-based web services. This flaw enables a remote, unauthenticated attacker to bypass security mechanisms and execute arbitrary code on the server. Given that SOAP, while a legacy protocol, is still deeply embedded in many enterprise applications for critical functions like financial transactions and data exchange, this vulnerability poses a significant threat. An attacker could exploit SOAPwn to compromise application servers, steal sensitive data, or disrupt core business processes. Microsoft has acknowledged the issue, released patches, and provided guidance for mitigation.

Vulnerability Details

Details surrounding "SOAPwn" are still emerging, but the core of the issue lies in the way .NET applications parse and handle specially crafted SOAP requests.

  • Vulnerability Name: SOAPwn (colloquial name)
  • Affected Technology: .NET Framework applications using SOAP-based web services (e.g., WCF, ASMX).
  • Impact: Authentication Bypass leading to Remote Code Execution (RCE).
  • Attack Vector: A remote, unauthenticated attacker sends a malformed SOAP request to a vulnerable web service endpoint.

The vulnerability likely stems from a flaw in the deserialization process of the SOAP message. By crafting a malicious payload within the SOAP envelope, an attacker can trick the application into executing unintended code, bypassing authentication and authorization checks that would normally be performed.

<!-- Conceptual Example of a Malicious SOAP Request -->
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
  <soap:Header>
    <!-- Malicious headers to manipulate security context -->
  </soap:Header>
  <soap:Body>
    <vulnerableAction>
      <parameter>
        <!-- Payload that triggers deserialization RCE -->
        <maliciousObject>...</maliciousObject>
      </parameter>
    </vulnerableAction>
  </soap:Body>
</soap:Envelope>

Affected Systems

Any .NET application (including legacy ASP.NET and Windows Communication Foundation - WCF) that exposes a SOAP endpoint could be vulnerable. This is particularly common in:

  • Enterprise Resource Planning (ERP) systems
  • Financial and banking applications
  • Legacy integrations between business systems
  • Government and healthcare applications

Organizations may have many such legacy endpoints that are not well-documented but are still active and exposed.

Exploitation Status

The public disclosure did not specify if the vulnerability is being actively exploited. However, vulnerabilities of this type—unauthenticated RCE in a widely used enterprise protocol—are prime targets for rapid weaponization by threat actors. Organizations should assume that exploitation is imminent, if not already occurring.

Impact Assessment

A successful exploit of SOAPwn could be catastrophic for an enterprise:

  • Full Server Compromise: RCE on a web server gives the attacker a strong foothold within the corporate network.
  • Data Breach: Attackers can access and exfiltrate any data the compromised application has access to, including customer databases, financial records, and intellectual property.
  • Business Process Disruption: Attackers could manipulate or delete data, disrupting critical business operations that rely on the SOAP service.
  • Lateral Movement: The compromised server can be used as a pivot point to attack other internal systems.

Cyber Observables for Detection

Security teams should look for the following indicators:

Type
url_pattern
Value
*.asmx, *.svc
Description
Default file extensions for legacy .NET SOAP web services. Finding these on web servers can indicate potentially vulnerable endpoints.
Type
network_traffic_pattern
Value
Unusually large or malformed SOAP/XML requests in web server logs.
Description
Look for requests that deviate significantly from normal application traffic.
Type
log_source
Value
IIS Logs / Application Logs
Description
Monitor for exceptions related to XML parsing or deserialization, or for successful actions performed without corresponding authentication logs.
Type
process_name
Value
w3wp.exe (IIS Worker Process) spawning unusual child processes like cmd.exe or powershell.exe.
Description
This is a strong indicator of successful RCE on the web server.

Detection & Response

D3FEND Reference: D3-NTA: Network Traffic Analysis, D3-PC: Process Creation-based Analysis

  1. Endpoint Discovery: The first step is to identify all applications in your environment that expose SOAP endpoints. Use web scanners and review application inventories to find all .asmx and .svc files.
  2. Web Application Firewall (WAF): Deploy and configure a WAF to inspect incoming SOAP traffic. While a generic WAF may not block a zero-day, it can be configured with rules to block malformed XML or requests with characteristics of the exploit once they are known.
  3. Process Monitoring: Use an EDR solution to monitor the IIS worker process (w3wp.exe) on all .NET web servers. Alert on any instance of this process spawning child processes like cmd.exe, powershell.exe, curl.exe, etc., as this is highly indicative of a web shell or RCE.

Mitigation

D3FEND Reference: D3-SU: Software Update, D3-ACH: Application Configuration Hardening

  1. Apply Patches (Priority 1): Install the security updates released by Microsoft for the .NET Framework and any related components. This is the most effective way to remediate the vulnerability.
  2. Restrict Access: If patching is not immediately possible, severely restrict access to the vulnerable SOAP endpoints. If the service is only used by internal applications, ensure it is not exposed to the internet. Use firewall rules to limit access to only the specific IP addresses of trusted client applications.
  3. Modernize Legacy Applications: As a long-term strategy, organizations should prioritize migrating legacy SOAP-based services to more modern and secure RESTful APIs using technologies like ASP.NET Core. This reduces the attack surface and moves away from protocols with a history of complex security issues like XML and SOAP.
  4. Harden Deserialization: If possible, configure the .NET application to use a more secure deserializer or to only accept a strict allowlist of object types during deserialization to prevent malicious object injection.

Timeline of Events

1
December 19, 2025
The "SOAPwn" vulnerability is publicly disclosed.
2
December 20, 2025
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Applying the patches from Microsoft for the .NET Framework is the primary mitigation.

Mapped D3FEND Techniques:

D3-SU

Application Isolation and Sandboxing

M1048enterprise

Isolating legacy applications and restricting their network access can limit the blast radius of a compromise.

Limit Access to Resource Over Network

M1035enterprise

If the SOAP service is only used internally, ensure it is not exposed to the internet.

Mapped D3FEND Techniques:

D3-NI

D3FEND Defensive Countermeasures

Process Creation-based Analysis

D3-PCMaps to MITREM1040
D3FEND

A key indicator of successful RCE against a web application like one vulnerable to SOAPwn is the web server process spawning unexpected child processes. Security teams must configure their EDR or SIEM to monitor the IIS worker process, w3wp.exe. Create a high-priority alert that triggers whenever w3wp.exe is observed as the parent process for cmd.exe, powershell.exe, cscript.exe, wscript.exe, curl.exe, or wget.exe. In a properly configured environment, this behavior is almost always malicious and indicates that an attacker has successfully executed code on the server. This detection provides a high-confidence signal to trigger an automated incident response action, such as isolating the host from the network.

Software Update

D3-SUMaps to MITREM1051
D3FEND

The definitive solution to the SOAPwn vulnerability is to apply the security patches provided by Microsoft for the affected .NET Framework versions. Organizations must use their patch management and asset inventory systems to identify all web servers running .NET applications with exposed SOAP endpoints (.asmx, .svc). These servers should be patched on an emergency basis. Given the unauthenticated RCE nature of the flaw, any delay in patching represents a significant and unacceptable risk to the organization. Post-patching, vulnerability scanners should be used to verify that the patch has been applied correctly and the vulnerability is remediated.

Application Configuration Hardening

D3-ACHMaps to MITREM1054
D3FEND

As a long-term strategic mitigation, organizations must plan to migrate away from legacy SOAP-based services. SOAP and its reliance on complex XML parsing and deserialization have historically been a rich source of security vulnerabilities. Development teams should be directed to prioritize the modernization of these applications, refactoring them to use modern, more secure RESTful APIs with JSON. REST APIs generally have a smaller and simpler attack surface than SOAP. This not only mitigates the risk of SOAPwn and future similar vulnerabilities but also improves performance and maintainability. This represents a shift from a reactive patching cycle to a proactive architectural improvement.

Timeline of Events

1
December 19, 2025

The "SOAPwn" vulnerability is publicly disclosed.

Sources & References

Top 5 Cybersecurity News Stories December 19, 2025
DieSec (diesec.com) December 19, 2025
ENISA opens public consultation on SBOM analysis and secure package management guidance
Industrial Cyber (industrialcyber.co) December 19, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

SOAP.NETWCFASMXRCEAuthentication BypassLegacy Systems

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.