Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not verify the URL defined in an attacker-controlled WSDL that is later loaded by the application. This can lead to arbitrary file write and remote code execution via webshell upload.
The application loads a WSDL (Web Services Description Language) file whose URL is controlled by the attacker, without verifying the specified address. The absolute path traversal mechanism (CWE-36) allows the attacker to force the application to write an arbitrary file to a selected location on the server. In practice, this enables uploading a webshell and subsequently executing remote system commands (RCE).
An attacker can gain full control over the server — write and execute arbitrary code (webshell), leading to RCE without the need for any credentials. It is possible to compromise the entire environment managed by the RMM platform.
Barracuda RMM must be immediately updated to version 2025.1.1 or newer, in which the vendor has removed the described vulnerability. Patch details are available in the vendor's official release notes (Release Notes 2025.1.1).
Barracuda RMM (Barracuda Service Center) in all versions prior to 2025.1.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XBarracuda Rmm
APPBarracuda< 2025.1.1
Related vulnerabilities
Barracuda RMM – RCE przez insecure reflection w Service Center
Barracuda RMM — RCE przez deserializację .NET Remoting w Service Center
Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Re...
A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor...
Wstrzyknięcie parametrów w Barracuda ESG przez podatną bibliotekę Spreadsheet-ParseExcel