Barracuda RMM: Critical security vulnerabilities allow code injection
Critical security vulnerabilities exist in Barracuda's Service Center RMM, through which attackers can execute arbitrary code.
(Image: Sashkin/Shutterstock.com)
IT managers who manage their IT with Barracuda RMM – formerly known as Managed Workplace – should urgently install the available Hotfix 2025.1.1 if they haven't already done so. It closes several security vulnerabilities, three of which have received the highest CVSS score of 10, thus representing a major risk.
Barracuda itself publishes a PDF announcing the hotfix and remains very vague about it. "The purpose of this hotfix is to proactively address security issues around remote code injection and execution," Barracuda writes, adding: "These vulnerabilities have not been exploited." They recommend all users update their Barracuda RMM with the hotfix.
Security vulnerabilities with the highest risk rating
However, vulnerability entries for the individual flaws appeared on Thursday night this week. For example, before Hotfix version 2025.1.1, Barracuda RMM does not validate the URL in an attacker-controlled WSDL request, which is later loaded by the app. This can lead to arbitrary file writes and arbitrary code execution via a webshell upload (CVE-2025-34392, CVSS4 10.0, risk "critical"). Furthermore, the software does not validate the name of attacker-controlled WSDL services, which can lead to insecure reflections. These, in turn, can lead to remote code execution over the network by calling arbitrary methods or deserializing insecure data types (CVE-2025-34393, CVSS4 10.0, risk "critical").
Barracuda RMM also provides access to a .Net Remoting service that is insufficiently secured against deserialization of arbitrary data types. This can also be exploited for remote code execution (CVE-2025-34394, CVSS4 10.0, risk "critical"). Additionally, unauthenticated attackers can exploit a path traversal vulnerability to read arbitrary files in an exposed .Net Remoting service – intercepting .Net machine keys allows for the execution of remote-injected malicious code (CVE-2025-34395, CVSS4 8.7, risk "high").
Videos by heise
While Barracuda has published a rather uninformative notice about the hotfix, IT security researchers from watchTowr provide an amusing read based on at least one of the vulnerabilities in WSDL processing (CVE-2025-34392).
In mid-2023, Barracuda's Email Security Gateway (ESG) was noted for security vulnerabilities that could not be easily fixed. The appliances had to be completely replaced.
(dmk)
