CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-34153

CVSS 10.0v4.0pub. 2025-08-13upd. 2026-04-15

Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\SYSTEM.

🤖 AI Analysis
How it works

The service registers a listener on TCP port 6031 with a URI endpoint named TimerServer, implemented in the Hyland.Core.Timers.dll library. The endpoint deserializes untrusted input using the .NET BinaryFormatter class, which is vulnerable to arbitrary code execution during the deserialization process. An attacker can send a crafted payload directly to this port without needing any credentials, resulting in code execution in the context of NT AUTHORITY\SYSTEM.

Impact

An attacker can execute arbitrary code with NT AUTHORITY\SYSTEM privileges, which means full takeover of the server, data exfiltration, installation of backdoors, and the ability to perform lateral movement within the internal network.

Mitigation & patch

Hyland OnBase must be updated to version 17.0.2.87 or later (including Foundation 24.1 or higher) in accordance with the vendor's security bulletin OB2025-02. As a temporary workaround, it is recommended to restrict network access to TCP port 6031 only to trusted hosts using a firewall or network segmentation rules.

Who is affected

Hyland OnBase in versions earlier than 17.0.2.87; other product versions may also be vulnerable — the exact scope is indicated in the vendor's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEDeserialization
CWE
References