CVE-2025-34153 Overview
CVE-2025-34153 is an unauthenticated remote code execution vulnerability in Hyland OnBase versions prior to 17.0.2.87. The Hyland Timer Service registers a .NET Remoting TCP listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. The endpoint deserializes untrusted input using the .NET BinaryFormatter, which permits attackers to inject malicious serialized objects. Successful exploitation executes arbitrary code under the NT AUTHORITY\SYSTEM account, granting full control of the affected host. The flaw is classified under [CWE-502] (Deserialization of Untrusted Data) and requires no authentication, credentials, or user interaction.
Critical Impact
Unauthenticated attackers reaching TCP port 6031 can execute arbitrary code as NT AUTHORITY\SYSTEM, achieving complete compromise of the OnBase host.
Affected Products
- Hyland OnBase versions prior to 17.0.2.87
- Hyland Timer Service component (Hyland.Core.Timers.dll)
- Other Hyland OnBase releases exposing the TimerServer .NET Remoting endpoint on port 6031
Discovery Timeline
- 2025-08-13 - CVE-2025-34153 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-34153
Vulnerability Analysis
The Hyland Timer Service exposes a .NET Remoting endpoint over a TCP channel bound to port 6031. The service registers the URI TimerServer and accepts serialized payloads from any network client without authentication. Inbound requests are deserialized using BinaryFormatter, a .NET API Microsoft has formally deprecated due to its inability to safely process attacker-controlled data. An attacker who can reach port 6031 can deliver a crafted gadget chain that triggers code execution during object reconstruction. Because the Timer Service runs as SYSTEM, the resulting code execution provides unrestricted privileges on the host. Public proof-of-concept material referenced in the VulnCheck Advisory on Hyland RCE and the GitHub PoC Repository demonstrate practical exploitation paths.
Root Cause
The root cause is unsafe deserialization. The TimerServer endpoint passes untrusted byte streams directly to BinaryFormatter.Deserialize, which instantiates types and invokes methods specified in the payload. No type filtering, allowlisting, or authentication is enforced before deserialization, so any reachable client can supply malicious gadgets such as those produced by ysoserial.net.
Attack Vector
Exploitation occurs over the network. An attacker establishes a TCP connection to port 6031 on the OnBase server and submits a serialized .NET object targeting the TimerServer URI. Internet-exposed or flat internal networks where this port is reachable from workstations significantly increase the attack surface. No credentials, prior access, or user interaction are required.
For verified technical details and exploitation specifics, refer to the VulnCheck Advisory on Hyland RCE and the Hyland Security Bulletin OB2025-02.
Detection Methods for CVE-2025-34153
Indicators of Compromise
- Unexpected inbound TCP connections to port 6031 on OnBase servers originating from non-administrative hosts
- Child processes spawned by the Hyland Timer Service process (for example cmd.exe, powershell.exe, rundll32.exe) running as NT AUTHORITY\SYSTEM
- New scheduled tasks, services, or local accounts created shortly after Timer Service activity
- Outbound connections from the Timer Service process to untrusted IP addresses or LOLBin download sources
Detection Strategies
- Hunt for process lineage where the Timer Service binary is the parent of interactive shells or scripting interpreters
- Inspect network flow logs for TCP traffic to port 6031 from sources outside the documented OnBase administrative range
- Monitor loaded modules inside the Timer Service process for Hyland.Core.Timers.dll deserializing payloads followed by reflective assembly loads
Monitoring Recommendations
- Enable Windows process creation auditing (Event ID 4688) and Sysmon Event IDs 1, 3, and 7 on OnBase hosts
- Forward Timer Service logs and Windows security telemetry to a centralized analytics platform for correlation
- Alert on first-seen executions of .NET deserialization gadget patterns such as System.Windows.Data.ObjectDataProvider references in process memory or crash dumps
How to Mitigate CVE-2025-34153
Immediate Actions Required
- Upgrade Hyland OnBase to version 17.0.2.87 or later as directed by the Hyland Security Bulletin OB2025-02
- Block external and lateral access to TCP port 6031 at host and network firewalls until the patch is applied
- Inventory all OnBase deployments and confirm the Timer Service version on each host
- Review authentication logs and process telemetry for signs of prior exploitation
Patch Information
Hyland has released fixed builds beginning with OnBase 17.0.2.87. Customers on older branches should follow the upgrade path described in the Hyland Upgrade Considerations and validate the Timer Service binary version after deployment. Confirm the patch is applied to every server hosting Hyland.Core.Timers.dll, including disaster-recovery and staging environments.
Workarounds
- Restrict TCP port 6031 to a tightly scoped management subnet using host-based firewall rules (netsh advfirewall) or network ACLs
- Disable the Hyland Timer Service on hosts where it is not operationally required
- Place OnBase application servers behind segmentation boundaries that prevent direct access from user workstations
- Continuously monitor for any process spawned by the Timer Service that is not part of its expected job set
# Configuration example: block TCP/6031 inbound on Windows hosts
netsh advfirewall firewall add rule name="Block Hyland Timer Service 6031" \
dir=in action=block protocol=TCP localport=6031
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
