CVE-2025-34153
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-13

Last updated on: 2026-02-13

Assigner: VulnCheck

Description
Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\SYSTEM.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-13
Last Modified
2026-02-13
Generated
2026-05-07
AI Q&A
2025-08-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-34153
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
hyland onbase 24.1
hyland onbase *
hyland onbase 17.0.2.87
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-34153 is a critical security flaw in Hyland OnBase versions prior to 17.0.2.87, caused by insecure deserialization in the .NET Remoting TCP channel. The service listens on port 6031 at the TimerServer endpoint, which deserializes untrusted input using the .NET BinaryFormatter without proper validation. This allows an unauthenticated attacker to send specially crafted serialized data that executes arbitrary code remotely with SYSTEM-level privileges, leading to full system compromise. [1]


How can this vulnerability impact me? :

This vulnerability can lead to complete system compromise on affected machines running the OnBase Timers service. An attacker can remotely execute arbitrary code with the highest system privileges (NT AUTHORITY\SYSTEM) without authentication. This means the attacker can control the system, access sensitive data, install malware, disrupt services, or use the compromised system as a foothold for further attacks. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking if the Hyland OnBase TimerServer service is listening on TCP port 6031. Use network scanning tools or commands like 'netstat -an | findstr 6031' on the server to verify if the port is open. Additionally, you can attempt to send a benign test payload using ExploitRemotingService.exe targeting tcp://<onbase-server>:6031/TimerServer to see if the service responds to deserialization requests. Monitoring for unexpected files such as 'c:\temp\whoami.txt' created by test payloads can also indicate vulnerability. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading Hyland OnBase to version 17.0.2.87 or later, where the vulnerability is fixed. If upgrading is not immediately possible, restrict network access to port 6031 to trusted hosts only, such as via firewall rules, to prevent unauthenticated remote exploitation. Additionally, monitor and audit the TimerServer service for suspicious activity and consider disabling the service if it is not required. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart