Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66631

CVE-2025-66631: CSLA .NET WcfProxy RCE Vulnerability

CVE-2025-66631 is a remote code execution vulnerability in CSLA .NET Framework affecting versions 5.5.4 and below. Attackers can exploit WcfProxy's insecure deserialization to execute arbitrary code on vulnerable systems.

Updated:

CVE-2025-66631 Overview

CVE-2025-66631 is an insecure deserialization vulnerability [CWE-502] in CSLA .NET, a framework used to build reusable object-oriented business layers for .NET applications. Versions 5.5.4 and below ship a WcfProxy component that relies on the obsolete NetDataContractSerializer (NDCS). Attackers can send crafted serialized payloads through the data portal to trigger remote code execution during deserialization. The maintainers, MarimerLLC, addressed the issue in CSLA version 6.0.0. Organizations running affected versions with WcfProxy configured in the data portal are exposed to unauthenticated network-based code execution.

Critical Impact

Unauthenticated attackers can achieve remote code execution by sending crafted serialized objects to a CSLA .NET data portal that uses WcfProxy.

Affected Products

  • CSLA .NET versions 5.5.4 and below
  • Applications using WcfProxy in data portal configurations
  • Components relying on NetDataContractSerializer (NDCS) for transport

Discovery Timeline

  • 2025-12-09 - CVE-2025-66631 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2025-66631

Vulnerability Analysis

The vulnerability stems from CSLA .NET's WcfProxy using NetDataContractSerializer to deserialize messages received by the data portal. Microsoft deprecated NDCS because it preserves full .NET type information in the serialized stream and instantiates arbitrary types during deserialization. When a server-side data portal endpoint accepts WCF traffic, an attacker can submit a serialized object graph that references gadget chains within loaded assemblies. The deserializer reconstructs those types and invokes setters, callbacks, and converters that execute attacker-controlled logic. This pattern matches well-documented .NET deserialization gadget abuse seen with BinaryFormatter and NetDataContractSerializer. Successful exploitation grants the attacker code execution in the context of the data portal host process. The CSLA maintainers removed WcfProxy entirely in version 6.0.0 rather than attempting to harden NDCS usage.

Root Cause

The root cause is use of NetDataContractSerializer inside WcfProxy. NDCS is unsafe for untrusted input because it deserializes any CLR type embedded in the payload. CSLA .NET did not enforce a type allowlist or SerializationBinder constraints before processing inbound data portal messages.

Attack Vector

Exploitation requires network access to a CSLA .NET data portal endpoint configured with WcfProxy. The attacker crafts a WCF message containing a serialized gadget chain and submits it without authentication. The vulnerability is described in the GitHub Security Advisory GHSA-wq34-7f4g-953v and the maintainer pull request removing WcfProxy. No proof-of-concept code is publicly available at this time.

Detection Methods for CVE-2025-66631

Indicators of Compromise

  • Inbound WCF requests to CSLA data portal endpoints containing NetDataContractSerializer XML namespaces or z:Type attributes referencing non-business types
  • Unexpected child processes spawned by the data portal host (w3wp.exe, custom WCF service host) such as cmd.exe, powershell.exe, or rundll32.exe
  • Outbound network connections from the data portal process to unfamiliar destinations following inbound WCF traffic

Detection Strategies

  • Inspect application binaries for references to Csla.DataPortalClient.WcfProxy and System.Runtime.Serialization.NetDataContractSerializer
  • Monitor process lineage from CSLA data portal hosts and alert on script interpreters or LOLBins launched as children
  • Review WCF service configuration files for endpoints bound to CSLA data portal contracts on internet-reachable interfaces

Monitoring Recommendations

  • Enable verbose WCF tracing on data portal services and forward logs to a centralized analytics platform for review
  • Track .NET runtime assembly load events for unusual types resolved during deserialization
  • Alert on authentication failures and anomalous payload sizes against data portal URIs

How to Mitigate CVE-2025-66631

Immediate Actions Required

  • Upgrade CSLA .NET to version 6.0.0 or later, which removes WcfProxy entirely
  • Inventory all applications using CSLA and identify any data portal configuration referencing WcfProxy
  • Restrict network access to data portal endpoints to trusted clients via firewall or service mesh policies until patching is complete

Patch Information

The issue is fixed in CSLA .NET 6.0.0. The maintainer pull request #4018 removes the vulnerable WcfProxy proxy class. Refer to the GitHub Security Advisory GHSA-wq34-7f4g-953v for vendor guidance and the issue discussion for background.

Workarounds

  • Remove WcfProxy from data portal configurations and switch to a supported proxy such as HttpProxy
  • Disable any WCF endpoints that route CSLA data portal traffic until the upgrade is deployed
  • Block external access to WCF data portal URIs at the perimeter and require mutual TLS for internal callers

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.