CVE-2025-34153 Overview
CVE-2025-34153 is a critical unauthenticated remote code execution vulnerability affecting Hyland OnBase enterprise content management software. The vulnerability exists in the .NET Remoting TCP channel used by the Hyland Timer Service, which listens on port 6031 with the URI endpoint TimerServer. This endpoint, implemented in Hyland.Core.Timers.dll, deserializes untrusted input using the .NET BinaryFormatter class, allowing attackers to execute arbitrary code without authentication under the context of NT AUTHORITY\SYSTEM.
Critical Impact
This vulnerability enables unauthenticated remote attackers to achieve full system compromise with SYSTEM-level privileges by exploiting insecure deserialization in the Hyland Timer Service.
Affected Products
- Hyland OnBase versions prior to 17.0.2.87
- Other Hyland OnBase versions may also be affected
Discovery Timeline
- 2025-08-13 - CVE-2025-34153 published to NVD
- 2026-02-13 - Last updated in NVD database
Technical Details for CVE-2025-34153
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The root issue lies in the use of the .NET BinaryFormatter class to deserialize data received over a network connection without proper validation or authentication. The BinaryFormatter class has been widely documented as inherently insecure when used with untrusted data, as it can instantiate arbitrary types during deserialization, leading to code execution.
The Hyland Timer Service exposes a .NET Remoting endpoint accessible over TCP on port 6031. When an attacker sends a specially crafted serialized object to this endpoint, the service deserializes it using BinaryFormatter, which can trigger the execution of arbitrary code. Because the Timer Service runs under the NT AUTHORITY\SYSTEM account, successful exploitation grants the attacker the highest possible privileges on the Windows system.
Root Cause
The vulnerability stems from the use of the deprecated and inherently unsafe .NET BinaryFormatter for deserializing data received from untrusted network sources. The TimerServer endpoint in Hyland.Core.Timers.dll does not implement authentication or input validation before deserializing incoming requests, allowing any network-accessible attacker to exploit the service.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying a Hyland OnBase installation with the Timer Service exposed on port 6031
- Crafting a malicious serialized .NET object containing a gadget chain (such as those generated by ysoserial.net)
- Sending the payload to the TimerServer endpoint via TCP
- The BinaryFormatter deserializes the payload, triggering arbitrary code execution under NT AUTHORITY\SYSTEM
The exploitation mechanism leverages well-known .NET deserialization gadget chains that abuse types present in common .NET libraries. Technical details and proof-of-concept information are available in the GitHub Gist Resource and the VulnCheck Advisory.
Detection Methods for CVE-2025-34153
Indicators of Compromise
- Unexpected network connections to port 6031 from external or untrusted IP addresses
- Suspicious child processes spawned by the Hyland Timer Service (Hyland.Core.Timers.exe or related service processes)
- Evidence of .NET deserialization attacks in memory dumps or process artifacts
- Unusual SYSTEM-level process activity or new service installations following Timer Service requests
Detection Strategies
- Monitor network traffic for connections to TCP port 6031 from untrusted sources
- Implement intrusion detection rules to identify .NET BinaryFormatter deserialization payloads (e.g., ysoserial.net gadget chain signatures)
- Use endpoint detection and response (EDR) solutions to monitor for suspicious process creation by the Hyland Timer Service
- Deploy SentinelOne agents to detect and block exploitation attempts targeting insecure deserialization
Monitoring Recommendations
- Enable detailed logging for the Hyland Timer Service and review logs for anomalous requests
- Configure network monitoring to alert on unexpected traffic to port 6031
- Implement process behavior analytics to detect SYSTEM-level code execution anomalies
- Regularly audit running services and their network exposure
How to Mitigate CVE-2025-34153
Immediate Actions Required
- Upgrade Hyland OnBase to version 17.0.2.87 or later as recommended by Hyland
- If immediate patching is not possible, restrict network access to port 6031 using firewall rules
- Isolate affected OnBase servers from untrusted network segments
- Monitor for exploitation attempts while remediation is in progress
Patch Information
Hyland has released a security update addressing this vulnerability. Refer to the Hyland Security Bulletin OB2025-02 for official patch information and upgrade guidance. Additional upgrade considerations are documented in the Hyland OnBase Upgrade Considerations resource.
Workarounds
- Block TCP port 6031 at the network perimeter and host-based firewalls to prevent external exploitation
- If the Timer Service is not required, disable or stop the service until patching can be completed
- Implement network segmentation to limit exposure of OnBase infrastructure
- Deploy application-level controls to restrict access to .NET Remoting endpoints
# Block access to port 6031 using Windows Firewall
netsh advfirewall firewall add rule name="Block OnBase Timer Port 6031" dir=in action=block protocol=tcp localport=6031
# Verify the rule was added
netsh advfirewall firewall show rule name="Block OnBase Timer Port 6031"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
