{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-34153", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-04-15T19:15:22.565Z", "datePublished": "2025-08-13T16:51:26.020Z", "dateUpdated": "2025-11-19T01:28:25.952Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Hyland.Core.Timers.dll", ".NET Remoting TCP Channel", "TimerServer"], "product": "OnBase", "vendor": "Hyland Software", "versions": [{"lessThan": "17.0.2.87", "status": "affected", "version": "*", "versionType": "semver"}, {"status": "unaffected", "version": "24.1"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hyland:onbase:*:*:*:*:*:*:*:*", "versionEndExcluding": "17.0.2.87", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Victor Morales of GM Sectec"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\\SYSTEM."}], "value": "Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\\SYSTEM."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 10, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-11-19T01:28:25.952Z"}, "references": [{"tags": ["technical-description", "exploit"], "url": "https://gist.github.com/VAMorales/32794cccc2195a935623a12ef32760dc"}, {"tags": ["product"], "url": "https://www.hyland.com/en/internal/onbase-unity-client"}, {"tags": ["patch"], "url": "https://support.hyland.com/r/OnBase/WorkView/Foundation-24.1/WorkView/Installation/Upgrade-Considerations/Upgrading-to-OnBase-Version-Foundation-24.1"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/hyland-onbase-net-remoting-tcp-channel-unauthenticated-rce"}], "source": {"discovery": "UNKNOWN"}, "title": "Hyland OnBase < 17.0.2.87 .NET Remoting TCP Channel Unauthenticated RCE", "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-13T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-34153"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-14T03:56:02.790Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-34153", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-13T17:26:09.133327Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-13T17:27:16.168Z"}}], "cna": {"title": "Hyland OnBase < 17.0.2.87 .NET Remoting TCP Channel Unauthenticated RCE", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Victor Morales of GM Sectec"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hyland Software", "modules": ["Hyland.Core.Timers.dll", ".NET Remoting TCP Channel", "TimerServer"], "product": "OnBase", "versions": [{"status": "affected", "version": "*", "lessThan": "17.0.2.87", "versionType": "semver"}, {"status": "unaffected", "version": "24.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gist.github.com/VAMorales/32794cccc2195a935623a12ef32760dc", "tags": ["technical-description", "exploit"]}, {"url": "https://www.hyland.com/en/internal/onbase-unity-client", "tags": ["product"]}, {"url": "https://support.hyland.com/r/OnBase/WorkView/Foundation-24.1/WorkView/Installation/Upgrade-Considerations/Upgrading-to-OnBase-Version-Foundation-24.1", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/hyland-onbase-net-remoting-tcp-channel-unauthenticated-rce", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\\SYSTEM.", "supportingMedia": [{"type": "text/html", "value": "Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\\SYSTEM.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hyland:onbase:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "17.0.2.87"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-11-19T01:28:25.952Z"}}}, "cveMetadata": {"cveId": "CVE-2025-34153", "state": "PUBLISHED", "dateUpdated": "2025-11-19T01:28:25.952Z", "dateReserved": "2025-04-15T19:15:22.565Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-08-13T16:51:26.020Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\\SYSTEM."}, {"lang": "es", "value": "Las versiones de Hyland OnBase anteriores a la 17.0.2.87 (otras versiones podr\u00edan verse afectadas) son vulnerables a la ejecuci\u00f3n remota de c\u00f3digo no autenticado mediante una deserializaci\u00f3n insegura en el canal TCP de .NET Remoting. El servicio registra un receptor en el puerto 6031 con el endpoint URI TimerServer, implementado en Hyland.Core.Timers.dll. Este endpoint deserializa la entrada no confiable mediante .NET BinaryFormatter, lo que permite a los atacantes ejecutar c\u00f3digo arbitrario en el contexto de NT AUTHORITY\\SYSTEM."}], "id": "CVE-2025-34153", "lastModified": "2025-11-04T23:15:36.467", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2025-08-13T17:15:27.663", "references": [{"source": "disclosure@vulncheck.com", "url": "https://gist.github.com/VAMorales/32794cccc2195a935623a12ef32760dc"}, {"source": "disclosure@vulncheck.com", "url": "https://support.hyland.com/r/OnBase/WorkView/Foundation-24.1/WorkView/Installation/Upgrade-Considerations/Upgrading-to-OnBase-Version-Foundation-24.1"}, {"source": "disclosure@vulncheck.com", "url": "https://www.hyland.com/en/internal/onbase-unity-client"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/hyland-onbase-net-remoting-tcp-channel-unauthenticated-rce"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"created": "2025-08-16T21:41:33.362943+00:00", "updated": "2025-08-16T21:41:33.362997+00:00", "vendors": ["hyland", "hyland$PRODUCT$onbase"]}